ai-sdlc 0.2.0-alpha.3 → 0.2.0-alpha.5

package/dist/agents/implementation.d.ts

@@ -93,10 +93,66 @@ export declare function checkACCoverage(story: Story): boolean;
  * or the maximum number of cycles is reached.
  */
 export declare function runTDDImplementation(story: Story, sdlcRoot: string, options?: TDDImplementationOptions): Promise<AgentResult>;
+/**
+ * Options for the retry loop
+ */
+export interface RetryAttemptOptions {
+    story: Story;
+    storyPath: string;
+    workingDir: string;
+    maxRetries: number;
+    reworkContext?: string;
+    onProgress?: AgentProgressCallback;
+}
+/**
+ * Attempt implementation with retry logic
+ *
+ * Runs the implementation loop, retrying on test failures up to maxRetries times.
+ * Includes no-change detection to exit early if the agent makes no progress.
+ *
+ * @param options Retry attempt options
+ * @param changesMade Array to track changes (mutated in place)
+ * @returns AgentResult with success/failure status
+ */
+export declare function attemptImplementationWithRetries(options: RetryAttemptOptions, changesMade: string[]): Promise<AgentResult>;
 /**
  * Implementation Agent
  *
  * Executes the implementation plan, creating code changes and tests.
  */
 export declare function runImplementationAgent(storyPath: string, sdlcRoot: string, options?: AgentOptions): Promise<AgentResult>;
+/**
+ * Capture the current git diff hash for no-change detection
+ * @param workingDir The working directory
+ * @returns SHA256 hash of git diff HEAD
+ */
+export declare function captureCurrentDiffHash(workingDir: string): string;
+/**
+ * Check if changes have occurred since last diff hash
+ * @param previousHash Previous diff hash
+ * @param currentHash Current diff hash
+ * @returns True if changes occurred (hashes are different)
+ */
+export declare function hasChangesOccurred(previousHash: string, currentHash: string): boolean;
+/**
+ * Sanitize test output to remove ANSI escape sequences and potential injection patterns
+ * @param output Test output string
+ * @returns Sanitized output
+ */
+export declare function sanitizeTestOutput(output: string): string;
+/**
+ * Truncate test output to prevent overwhelming the LLM
+ * @param output Test output string
+ * @param maxLength Maximum length (default 5000 chars)
+ * @returns Truncated and sanitized output with notice if truncated
+ */
+export declare function truncateTestOutput(output: string, maxLength?: number): string;
+/**
+ * Build retry prompt for implementation agent
+ * @param testOutput Test failure output
+ * @param attemptNumber Current attempt number (1-indexed)
+ * @param maxRetries Maximum number of retries
+ * @returns Prompt string for retry attempt
+ */
+export declare function buildRetryPrompt(testOutput: string, buildOutput: string, attemptNumber: number, maxRetries: number): string;
 //# sourceMappingURL=implementation.d.ts.map

package/dist/agents/implementation.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"implementation.d.ts","sourceRoot":"","sources":["../../src/agents/implementation.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,aAAa,EAAE,qBAAqB,EAAE,MAAM,mBAAmB,CAAC;AACzE,OAAO,EAAE,KAAK,EAAE,WAAW,EAAE,YAAY,EAAa,MAAM,mBAAmB,CAAC;AAChF,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAK7C,YAAY,EAAE,qBAAqB,EAAE,CAAC;AAEtC;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,OAAO,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,UAAU,EAAE,MAAM,CAAC;IACnB,aAAa,CAAC,EAAE,OAAO,aAAa,CAAC;IACrC,UAAU,CAAC,EAAE,qBAAqB,CAAC;CACpC;AAED;;GAEG;AACH,MAAM,WAAW,wBAAwB;IACvC,aAAa,CAAC,EAAE,OAAO,aAAa,CAAC;IACrC,aAAa,CAAC,EAAE,OAAO,aAAa,CAAC;IACrC,WAAW,CAAC,EAAE,OAAO,WAAW,CAAC;IACjC,UAAU,CAAC,EAAE,qBAAqB,CAAC;CACpC;AAED,eAAO,MAAM,iBAAiB,8zBAuB+B,CAAC;AAsB9D;;GAEG;AACH,wBAAsB,aAAa,CACjC,QAAQ,EAAE,MAAM,EAChB,UAAU,EAAE,MAAM,EAClB,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC;IAAE,MAAM,EAAE,OAAO,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC,CAgD9C;AAED;;GAEG;AACH,wBAAsB,WAAW,CAC/B,UAAU,EAAE,MAAM,EAClB,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC;IAAE,MAAM,EAAE,OAAO,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC,CAgD9C;AAWD;;;;;;;;GAQG;AACH,wBAAsB,oBAAoB,CACxC,UAAU,EAAE,MAAM,EAClB,OAAO,EAAE,MAAM,EACf,WAAW,EAAE,MAAM,EACnB,UAAU,GAAE,OAAO,WAAyB,GAC3C,OAAO,CAAC;IAAE,SAAS,EAAE,OAAO,CAAC;IAAC,MAAM,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CA8BlD;AAmDD;;;;;GAKG;AACH,wBAAsB,eAAe,CACnC,KAAK,EAAE,KAAK,EACZ,WAAW,EAAE,MAAM,EACnB,OAAO,EAAE,eAAe,GACvB,OAAO,CAAC,cAAc,CAAC,CAqCzB;AAED;;;;;GAKG;AACH,wBAAsB,iBAAiB,CACrC,KAAK,EAAE,KAAK,EACZ,WAAW,EAAE,MAAM,EACnB,QAAQ,EAAE,MAAM,EAChB,OAAO,EAAE,eAAe,GACvB,OAAO,CAAC,cAAc,CAAC,CAoCzB;AAED;;;;;GAKG;AACH,wBAAsB,oBAAoB,CACxC,KAAK,EAAE,KAAK,EACZ,WAAW,EAAE,MAAM,EACnB,QAAQ,EAAE,MAAM,EAChB,OAAO,EAAE,eAAe,GACvB,OAAO,CAAC,cAAc,CAAC,CAwCzB;AAED;;GAEG;AACH,wBAAgB,cAAc,CAC5B,WAAW,EAAE,MAAM,EACnB,SAAS,EAAE,cAAc,EACzB,WAAW,EAAE,cAAc,EAC3B,cAAc,EAAE,cAAc,GAC7B,YAAY,CAYd;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,KAAK,EAAE,KAAK,GAAG,OAAO,CAuBrD;AAED;;;;;GAKG;AACH,wBAAsB,oBAAoB,CACxC,KAAK,EAAE,KAAK,EACZ,QAAQ,EAAE,MAAM,EAChB,OAAO,GAAE,wBAA6B,GACrC,OAAO,CAAC,WAAW,CAAC,CA6ItB;AAED;;;;GAIG;AACH,wBAAsB,sBAAsB,CAC1C,SAAS,EAAE,MAAM,EACjB,QAAQ,EAAE,MAAM,EAChB,OAAO,GAAE,YAAiB,GACzB,OAAO,CAAC,WAAW,CAAC,CAmMtB"}
+{"version":3,"file":"implementation.d.ts","sourceRoot":"","sources":["../../src/agents/implementation.ts"],"names":[],"mappings":"AAYA,OAAO,EAAE,aAAa,EAAE,qBAAqB,EAAE,MAAM,mBAAmB,CAAC;AACzE,OAAO,EAAE,KAAK,EAAE,WAAW,EAAE,YAAY,EAAa,MAAM,mBAAmB,CAAC;AAChF,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAM7C,YAAY,EAAE,qBAAqB,EAAE,CAAC;AAEtC;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,OAAO,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,UAAU,EAAE,MAAM,CAAC;IACnB,aAAa,CAAC,EAAE,OAAO,aAAa,CAAC;IACrC,UAAU,CAAC,EAAE,qBAAqB,CAAC;CACpC;AAED;;GAEG;AACH,MAAM,WAAW,wBAAwB;IACvC,aAAa,CAAC,EAAE,OAAO,aAAa,CAAC;IACrC,aAAa,CAAC,EAAE,OAAO,aAAa,CAAC;IACrC,WAAW,CAAC,EAAE,OAAO,WAAW,CAAC;IACjC,UAAU,CAAC,EAAE,qBAAqB,CAAC;CACpC;AAED,eAAO,MAAM,iBAAiB,8zBAuB+B,CAAC;AAsB9D;;GAEG;AACH,wBAAsB,aAAa,CACjC,QAAQ,EAAE,MAAM,EAChB,UAAU,EAAE,MAAM,EAClB,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC;IAAE,MAAM,EAAE,OAAO,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC,CAgD9C;AAED;;GAEG;AACH,wBAAsB,WAAW,CAC/B,UAAU,EAAE,MAAM,EAClB,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC;IAAE,MAAM,EAAE,OAAO,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC,CAgD9C;AAWD;;;;;;;;GAQG;AACH,wBAAsB,oBAAoB,CACxC,UAAU,EAAE,MAAM,EAClB,OAAO,EAAE,MAAM,EACf,WAAW,EAAE,MAAM,EACnB,UAAU,GAAE,OAAO,WAAyB,GAC3C,OAAO,CAAC;IAAE,SAAS,EAAE,OAAO,CAAC;IAAC,MAAM,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAiDlD;AAmDD;;;;;GAKG;AACH,wBAAsB,eAAe,CACnC,KAAK,EAAE,KAAK,EACZ,WAAW,EAAE,MAAM,EACnB,OAAO,EAAE,eAAe,GACvB,OAAO,CAAC,cAAc,CAAC,CAqCzB;AAED;;;;;GAKG;AACH,wBAAsB,iBAAiB,CACrC,KAAK,EAAE,KAAK,EACZ,WAAW,EAAE,MAAM,EACnB,QAAQ,EAAE,MAAM,EAChB,OAAO,EAAE,eAAe,GACvB,OAAO,CAAC,cAAc,CAAC,CAoCzB;AAED;;;;;GAKG;AACH,wBAAsB,oBAAoB,CACxC,KAAK,EAAE,KAAK,EACZ,WAAW,EAAE,MAAM,EACnB,QAAQ,EAAE,MAAM,EAChB,OAAO,EAAE,eAAe,GACvB,OAAO,CAAC,cAAc,CAAC,CAwCzB;AAED;;GAEG;AACH,wBAAgB,cAAc,CAC5B,WAAW,EAAE,MAAM,EACnB,SAAS,EAAE,cAAc,EACzB,WAAW,EAAE,cAAc,EAC3B,cAAc,EAAE,cAAc,GAC7B,YAAY,CAYd;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,KAAK,EAAE,KAAK,GAAG,OAAO,CAuBrD;AAED;;;;;GAKG;AACH,wBAAsB,oBAAoB,CACxC,KAAK,EAAE,KAAK,EACZ,QAAQ,EAAE,MAAM,EAChB,OAAO,GAAE,wBAA6B,GACrC,OAAO,CAAC,WAAW,CAAC,CA6ItB;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,KAAK,EAAE,KAAK,CAAC;IACb,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,UAAU,CAAC,EAAE,qBAAqB,CAAC;CACpC;AAaD;;;;;;;;;GASG;AACH,wBAAsB,gCAAgC,CACpD,OAAO,EAAE,mBAAmB,EAC5B,WAAW,EAAE,MAAM,EAAE,GACpB,OAAO,CAAC,WAAW,CAAC,CA2MtB;AAED;;;;GAIG;AACH,wBAAsB,sBAAsB,CAC1C,SAAS,EAAE,MAAM,EACjB,QAAQ,EAAE,MAAM,EAChB,OAAO,GAAE,YAAiB,GACzB,OAAO,CAAC,WAAW,CAAC,CAyLtB;AAgCD;;;;GAIG;AACH,wBAAgB,sBAAsB,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM,CAuBjE;AAED;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAAC,YAAY,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,OAAO,CAErF;AAED;;;;GAIG;AACH,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAkBzD;AAED;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,GAAE,MAAa,GAAG,MAAM,CAYnF;AAED;;;;;;GAMG;AACH,wBAAgB,gBAAgB,CAC9B,UAAU,EAAE,MAAM,EAClB,WAAW,EAAE,MAAM,EACnB,aAAa,EAAE,MAAM,EACrB,UAAU,EAAE,MAAM,GACjB,MAAM,CAsCR"}

package/dist/agents/implementation.js

@@ -1,9 +1,10 @@
-import { execSync, spawn } from 'child_process';
+import { spawn, spawnSync } from 'child_process';
 import path from 'path';
-import { parseStory, writeStory, updateStoryStatus, updateStoryField } from '../core/story.js';
+import { parseStory, writeStory, updateStoryStatus, updateStoryField, resetImplementationRetryCount, incrementImplementationRetryCount, getEffectiveMaxImplementationRetries, } from '../core/story.js';
 import { runAgentQuery } from '../core/client.js';
 import { loadConfig, DEFAULT_TDD_CONFIG } from '../core/config.js';
 import { verifyImplementation } from './verification.js';
+import { createHash } from 'crypto';
 export const TDD_SYSTEM_PROMPT = `You are practicing strict Test-Driven Development.
 
 Your workflow MUST follow this exact cycle:
@@ -160,12 +161,16 @@ function escapeShellArg(arg) {
  */
 export async function commitIfAllTestsPass(workingDir, message, testTimeout, testRunner = runAllTests) {
     try {
-        // Check for uncommitted changes
-        const status = execSync('git status --porcelain', {
+        // Security: Validate working directory before use
+        validateWorkingDir(workingDir);
+        // Check for uncommitted changes using spawn with shell: false
+        const statusResult = spawnSync('git', ['status', '--porcelain'], {
             cwd: workingDir,
-            encoding: 'utf-8'
+            encoding: 'utf-8',
+            shell: false,
+            stdio: ['ignore', 'pipe', 'pipe'],
         });
-        if (!status.trim()) {
+        if (statusResult.status !== 0 || !statusResult.stdout || !statusResult.stdout.trim()) {
             return { committed: false, reason: 'nothing to commit' };
         }
         // Run FULL test suite
@@ -173,12 +178,23 @@ export async function commitIfAllTestsPass(workingDir, message, testTimeout, tes
         if (!testResult.passed) {
             return { committed: false, reason: 'tests failed' };
         }
-        // Commit changes
-        execSync('git add -A', { cwd: workingDir, stdio: 'pipe' });
-        execSync(`git commit -m ${escapeShellArg(message)}`, {
+        // Commit changes using spawn with shell: false
+        const addResult = spawnSync('git', ['add', '-A'], {
             cwd: workingDir,
-            stdio: 'pipe'
+            shell: false,
+            stdio: 'pipe',
         });
+        if (addResult.status !== 0) {
+            throw new Error(`git add failed: ${addResult.stderr}`);
+        }
+        const commitResult = spawnSync('git', ['commit', '-m', message], {
+            cwd: workingDir,
+            shell: false,
+            stdio: 'pipe',
+        });
+        if (commitResult.status !== 0) {
+            throw new Error(`git commit failed: ${commitResult.stderr}`);
+        }
         return { committed: true };
     }
     catch (error) {
@@ -515,6 +531,189 @@ export async function runTDDImplementation(story, sdlcRoot, options = {}) {
         error: `TDD: Maximum cycles (${tddConfig.maxCycles}) reached without completing all acceptance criteria.`,
     };
 }
+/**
+ * Attempt implementation with retry logic
+ *
+ * Runs the implementation loop, retrying on test failures up to maxRetries times.
+ * Includes no-change detection to exit early if the agent makes no progress.
+ *
+ * @param options Retry attempt options
+ * @param changesMade Array to track changes (mutated in place)
+ * @returns AgentResult with success/failure status
+ */
+export async function attemptImplementationWithRetries(options, changesMade) {
+    const { story, storyPath, workingDir, maxRetries, reworkContext, onProgress } = options;
+    let attemptNumber = 0;
+    let lastVerification = null;
+    let lastDiffHash = ''; // Initialize to empty string, will capture after first failure
+    const attemptHistory = [];
+    while (attemptNumber <= maxRetries) {
+        attemptNumber++;
+        let prompt = `Implement this story based on the plan:
+
+Title: ${story.frontmatter.title}
+
+Story content:
+${story.content}`;
+        if (reworkContext) {
+            prompt += `
+
+---
+${reworkContext}
+---
+
+IMPORTANT: This is a refinement iteration. The previous implementation did not pass review.
+You MUST fix all the issues listed above. Pay special attention to blocker and critical
+severity issues - these must be resolved. Review the specific feedback and make targeted fixes.`;
+        }
+        // Add retry context if this is a retry attempt
+        if (attemptNumber > 1 && lastVerification) {
+            prompt += '\n\n' + buildRetryPrompt(lastVerification.testsOutput, lastVerification.buildOutput, attemptNumber, maxRetries);
+        }
+        else {
+            prompt += `
+
+Execute the implementation plan. For each task:
+1. Read relevant existing files
+2. Make necessary code changes
+3. Write tests if applicable
+4. Verify the changes work
+
+Use the available tools to read files, write code, and run commands as needed.`;
+        }
+        // Send progress callback for all attempts (not just retries)
+        if (onProgress) {
+            if (attemptNumber === 1) {
+                onProgress({ type: 'assistant_message', content: `Starting implementation attempt 1/${maxRetries + 1}...` });
+            }
+            else {
+                onProgress({ type: 'assistant_message', content: `Analyzing test failures, retrying implementation (${attemptNumber - 1}/${maxRetries})...` });
+            }
+        }
+        const implementationResult = await runAgentQuery({
+            prompt,
+            systemPrompt: IMPLEMENTATION_SYSTEM_PROMPT,
+            workingDirectory: workingDir,
+            onProgress,
+        });
+        // Add implementation notes to the story
+        const notePrefix = attemptNumber > 1 ? `Implementation Notes - Retry ${attemptNumber - 1}` : 'Implementation Notes';
+        const implementationNotes = `
+### ${notePrefix} (${new Date().toISOString().split('T')[0]})
+
+${implementationResult}
+`;
+        // Append to story content
+        const updatedStory = parseStory(storyPath);
+        updatedStory.content += '\n\n' + implementationNotes;
+        writeStory(updatedStory);
+        changesMade.push(attemptNumber > 1 ? `Added retry ${attemptNumber - 1} notes` : 'Added implementation notes');
+        changesMade.push('Running verification before marking complete...');
+        const verification = await verifyImplementation(updatedStory, workingDir);
+        updateStoryField(updatedStory, 'last_test_run', {
+            passed: verification.passed,
+            failures: verification.failures,
+            timestamp: verification.timestamp,
+        });
+        if (verification.passed) {
+            // Success! Reset retry count and return success
+            resetImplementationRetryCount(updatedStory);
+            changesMade.push('Verification passed - implementation successful');
+            // Send success progress callback
+            if (onProgress) {
+                onProgress({ type: 'assistant_message', content: `Implementation succeeded on attempt ${attemptNumber}` });
+            }
+            return {
+                success: true,
+                story: parseStory(storyPath),
+                changesMade,
+            };
+        }
+        // Verification failed - check for retry conditions
+        lastVerification = verification;
+        // Capture current diff hash for no-change detection
+        const currentDiffHash = captureCurrentDiffHash(workingDir);
+        // Track retry attempt
+        incrementImplementationRetryCount(updatedStory);
+        // Extract first 100 chars of test and build output for history
+        const testSnippet = verification.testsOutput.substring(0, 100).replace(/\n/g, ' ');
+        const buildSnippet = verification.buildOutput.substring(0, 100).replace(/\n/g, ' ');
+        // Determine if there are build failures (build output contains error indicators)
+        const hasBuildErrors = verification.buildOutput &&
+            (verification.buildOutput.includes('error') ||
+                verification.buildOutput.includes('Error') ||
+                verification.buildOutput.includes('failed'));
+        const buildFailures = hasBuildErrors ? 1 : 0;
+        // Record this attempt in history with both test and build failures
+        attemptHistory.push({
+            attempt: attemptNumber,
+            testFailures: verification.failures,
+            buildFailures,
+            testSnippet,
+            buildSnippet,
+        });
+        // Add structured retry entry to changes array
+        if (attemptNumber > 1) {
+            changesMade.push(`Implementation retry ${attemptNumber - 1}/${maxRetries}: ${verification.failures} test(s) failing`);
+        }
+        else {
+            changesMade.push(`Attempt ${attemptNumber}: ${verification.failures} test(s) failing`);
+        }
+        // Check for no-change scenario (agent made no progress)
+        // Only check after first failure (attemptNumber > 1)
+        // Check this BEFORE max retries to fail fast on identical changes
+        if (attemptNumber > 1 && lastDiffHash && lastDiffHash === currentDiffHash) {
+            return {
+                success: false,
+                story: parseStory(storyPath),
+                changesMade,
+                error: `Implementation blocked: No progress detected on retry attempt ${attemptNumber - 1}. Agent made identical changes. Stopping retries early.\n\nLast test output:\n${truncateTestOutput(verification.testsOutput, 1000)}`,
+            };
+        }
+        // Check if we've reached max retries
+        if (attemptHistory.length > maxRetries) {
+            const attemptSummary = attemptHistory
+                .map((a) => {
+                const parts = [];
+                if (a.testFailures > 0) {
+                    parts.push(`${a.testFailures} test(s)`);
+                }
+                if (a.buildFailures > 0) {
+                    parts.push(`${a.buildFailures} build error(s)`);
+                }
+                const errors = parts.length > 0 ? parts.join(', ') : 'verification failed';
+                const snippets = [];
+                if (a.testSnippet && a.testSnippet.trim()) {
+                    snippets.push(`[test: ${a.testSnippet}]`);
+                }
+                if (a.buildSnippet && a.buildSnippet.trim()) {
+                    snippets.push(`[build: ${a.buildSnippet}]`);
+                }
+                const snippetText = snippets.length > 0 ? ` - ${snippets.join(' ')}` : '';
+                return `  Attempt ${a.attempt}: ${errors}${snippetText}`;
+            })
+                .join('\n');
+            return {
+                success: false,
+                story: parseStory(storyPath),
+                changesMade,
+                error: `Implementation blocked after ${attemptNumber} attempts:\n${attemptSummary}\n\nLast test output:\n${truncateTestOutput(verification.testsOutput, 5000)}`,
+            };
+        }
+        lastDiffHash = currentDiffHash;
+        // Continue to next retry attempt - send progress update
+        if (onProgress) {
+            onProgress({ type: 'assistant_message', content: `Retry ${attemptNumber} failed: ${verification.failures} test(s) failing, attempting retry ${attemptNumber + 1}...` });
+        }
+    }
+    // If we exit the loop without returning, all retries exhausted (shouldn't normally reach here)
+    return {
+        success: false,
+        story: parseStory(storyPath),
+        changesMade,
+        error: 'Implementation failed: All retry attempts exhausted without resolution.',
+    };
+}
 /**
  * Implementation Agent
  *
@@ -526,28 +725,50 @@ export async function runImplementationAgent(storyPath, sdlcRoot, options = {})
     const changesMade = [];
     const workingDir = path.dirname(sdlcRoot);
     try {
+        // Security: Validate working directory before git operations
+        validateWorkingDir(workingDir);
         // Create a feature branch for this story
         const branchName = `ai-sdlc/${story.slug}`;
+        // Security: Validate branch name before use
+        validateBranchName(branchName);
         try {
-            // Check if we're in a git repo
-            execSync('git rev-parse --git-dir', { cwd: workingDir, stdio: 'pipe' });
-            // Create and checkout branch (or checkout if exists)
-            try {
-                execSync(`git checkout -b ${branchName}`, { cwd: workingDir, stdio: 'pipe' });
-                changesMade.push(`Created branch: ${branchName}`);
+            // Check if we're in a git repo using spawn with shell: false
+            const revParseResult = spawnSync('git', ['rev-parse', '--git-dir'], {
+                cwd: workingDir,
+                shell: false,
+                stdio: 'pipe',
+            });
+            if (revParseResult.status !== 0) {
+                changesMade.push('No git repo detected, skipping branch creation');
             }
-            catch {
-                // Branch might already exist
-                try {
-                    execSync(`git checkout ${branchName}`, { cwd: workingDir, stdio: 'pipe' });
-                    changesMade.push(`Checked out existing branch: ${branchName}`);
+            else {
+                // Create and checkout branch (or checkout if exists) using spawn with shell: false
+                const checkoutNewResult = spawnSync('git', ['checkout', '-b', branchName], {
+                    cwd: workingDir,
+                    shell: false,
+                    stdio: 'pipe',
+                });
+                if (checkoutNewResult.status === 0) {
+                    changesMade.push(`Created branch: ${branchName}`);
                 }
-                catch {
-                    // Not a git repo or other error, continue without branching
+                else {
+                    // Branch might already exist, try to checkout
+                    const checkoutResult = spawnSync('git', ['checkout', branchName], {
+                        cwd: workingDir,
+                        shell: false,
+                        stdio: 'pipe',
+                    });
+                    if (checkoutResult.status === 0) {
+                        changesMade.push(`Checked out existing branch: ${branchName}`);
+                    }
+                    else {
+                        // Not a git repo or other error, continue without branching
+                        changesMade.push('Failed to create or checkout branch, continuing without branching');
+                    }
                 }
+                // Update story with branch info
+                updateStoryField(story, 'branch', branchName);
             }
-            // Update story with branch info
-            updateStoryField(story, 'branch', branchName);
         }
         catch {
             // Not a git repo, continue without branching
@@ -571,7 +792,8 @@ export async function runImplementationAgent(storyPath, sdlcRoot, options = {})
             // Merge changes
             changesMade.push(...tddResult.changesMade);
             if (tddResult.success) {
-                changesMade.push('Running verification before marking complete...');
+                // TDD completed all cycles - now verify with retry support
+                changesMade.push('Running final verification...');
                 const verification = await verifyImplementation(tddResult.story, workingDir);
                 updateStoryField(tddResult.story, 'last_test_run', {
                     passed: verification.passed,
@@ -579,13 +801,18 @@ export async function runImplementationAgent(storyPath, sdlcRoot, options = {})
                     timestamp: verification.timestamp,
                 });
                 if (!verification.passed) {
+                    // TDD final verification failed - this is unexpected since TDD should ensure all tests pass
+                    // Reset retry count since this is the first failure at this stage
+                    resetImplementationRetryCount(tddResult.story);
                     return {
                         success: false,
                         story: parseStory(currentStoryPath),
                         changesMade,
-                        error: `Implementation blocked: ${verification.failures} test(s) failing. Fix tests before completing.`,
+                        error: `TDD implementation blocked: ${verification.failures} test(s) failing after completing all cycles.\nThis is unexpected - TDD cycles should ensure all tests pass.\n\nTest output:\n${truncateTestOutput(verification.testsOutput, 1000)}`,
                     };
                 }
+                // Success - reset retry count
+                resetImplementationRetryCount(tddResult.story);
                 updateStoryField(tddResult.story, 'implementation_complete', true);
                 changesMade.push('Marked implementation_complete: true');
                 return {
@@ -603,65 +830,24 @@ export async function runImplementationAgent(storyPath, sdlcRoot, options = {})
                 };
             }
         }
-        // Standard implementation (non-TDD mode)
-        let prompt = `Implement this story based on the plan:
-
-Title: ${story.frontmatter.title}
-
-Story content:
-${story.content}`;
-        if (options.reworkContext) {
-            prompt += `
-
----
-${options.reworkContext}
----
-
-IMPORTANT: This is a refinement iteration. The previous implementation did not pass review.
-You MUST fix all the issues listed above. Pay special attention to blocker and critical
-severity issues - these must be resolved. Review the specific feedback and make targeted fixes.`;
-        }
-        prompt += `
-
-Execute the implementation plan. For each task:
-1. Read relevant existing files
-2. Make necessary code changes
-3. Write tests if applicable
-4. Verify the changes work
-
-Use the available tools to read files, write code, and run commands as needed.`;
-        const implementationResult = await runAgentQuery({
-            prompt,
-            systemPrompt: IMPLEMENTATION_SYSTEM_PROMPT,
-            workingDirectory: workingDir,
+        // Standard implementation (non-TDD mode) with retry logic
+        // Use per-story override if set, otherwise config default (capped at upper bound)
+        const maxRetries = getEffectiveMaxImplementationRetries(story, config);
+        // Use extracted retry function for better testability
+        const retryResult = await attemptImplementationWithRetries({
+            story,
+            storyPath: currentStoryPath,
+            workingDir,
+            maxRetries,
+            reworkContext: options.reworkContext,
             onProgress: options.onProgress,
-        });
-        // Add implementation notes to the story
-        const implementationNotes = `
-### Implementation Notes (${new Date().toISOString().split('T')[0]})
-
-${implementationResult}
-`;
-        // Append to story content
-        const updatedStory = parseStory(currentStoryPath);
-        updatedStory.content += '\n\n' + implementationNotes;
-        writeStory(updatedStory);
-        changesMade.push('Added implementation notes');
-        changesMade.push('Running verification before marking complete...');
-        const verification = await verifyImplementation(updatedStory, workingDir);
-        updateStoryField(updatedStory, 'last_test_run', {
-            passed: verification.passed,
-            failures: verification.failures,
-            timestamp: verification.timestamp,
-        });
-        if (!verification.passed) {
-            return {
-                success: false,
-                story: parseStory(currentStoryPath),
-                changesMade,
-                error: `Implementation blocked: ${verification.failures} test(s) failing. Fix tests before completing.`,
-            };
+        }, changesMade);
+        // If retry loop failed, return the failure result
+        if (!retryResult.success) {
+            return retryResult;
         }
+        // If we get here, verification passed
+        const updatedStory = parseStory(currentStoryPath);
         // Commit changes after successful standard implementation
         try {
             const commitResult = await commitIfAllTestsPass(workingDir, `feat(${story.slug}): ${story.frontmatter.title}`, config.timeouts?.testTimeout || 300000);
@@ -693,4 +879,148 @@ ${implementationResult}
         };
     }
 }
+/**
+ * Validate working directory path for safety
+ * @param workingDir The working directory path to validate
+ * @throws Error if path contains shell metacharacters or traversal attempts
+ */
+function validateWorkingDir(workingDir) {
+    // Check for shell metacharacters that could be used in command injection
+    if (/[;&|`$()<>]/.test(workingDir)) {
+        throw new Error('Invalid working directory: contains shell metacharacters');
+    }
+    // Prevent path traversal attempts
+    const normalizedPath = path.normalize(workingDir);
+    if (normalizedPath.includes('..')) {
+        throw new Error('Invalid working directory: path traversal attempt detected');
+    }
+}
+/**
+ * Validate branch name for safety
+ * @param branchName The branch name to validate
+ * @throws Error if branch name contains invalid characters
+ */
+function validateBranchName(branchName) {
+    // Git branch names must match safe pattern (alphanumeric, dash, slash, underscore)
+    if (!/^[a-zA-Z0-9_/-]+$/.test(branchName)) {
+        throw new Error('Invalid branch name: contains unsafe characters');
+    }
+}
+/**
+ * Capture the current git diff hash for no-change detection
+ * @param workingDir The working directory
+ * @returns SHA256 hash of git diff HEAD
+ */
+export function captureCurrentDiffHash(workingDir) {
+    try {
+        // Security: Validate working directory before use
+        validateWorkingDir(workingDir);
+        // Use spawnSync with shell: false to prevent command injection
+        const result = spawnSync('git', ['diff', 'HEAD'], {
+            cwd: workingDir,
+            shell: false,
+            encoding: 'utf-8',
+            stdio: ['ignore', 'pipe', 'pipe'],
+        });
+        if (result.status === 0 && result.stdout) {
+            return createHash('sha256').update(result.stdout).digest('hex');
+        }
+        // Git command failed, return empty hash
+        return '';
+    }
+    catch (error) {
+        // If validation fails or git command fails, return empty hash
+        return '';
+    }
+}
+/**
+ * Check if changes have occurred since last diff hash
+ * @param previousHash Previous diff hash
+ * @param currentHash Current diff hash
+ * @returns True if changes occurred (hashes are different)
+ */
+export function hasChangesOccurred(previousHash, currentHash) {
+    return previousHash !== currentHash;
+}
+/**
+ * Sanitize test output to remove ANSI escape sequences and potential injection patterns
+ * @param output Test output string
+ * @returns Sanitized output
+ */
+export function sanitizeTestOutput(output) {
+    if (!output)
+        return '';
+    let sanitized = output
+        // Remove ANSI CSI sequences (SGR parameters - colors, styles)
+        .replace(/\x1B\[[0-9;]*[a-zA-Z]/g, '')
+        // Remove ANSI DCS sequences (Device Control String)
+        .replace(/\x1BP[^\x1B]*\x1B\\/g, '')
+        // Remove ANSI PM sequences (Privacy Message)
+        .replace(/\x1B\^[^\x1B]*\x1B\\/g, '')
+        // Remove ANSI OSC sequences (Operating System Command) - terminated by BEL or ST
+        .replace(/\x1B\][^\x07\x1B]*(\x07|\x1B\\)/g, '')
+        // Remove any remaining standalone escape characters
+        .replace(/\x1B/g, '')
+        // Remove other control characters except newline, tab, carriage return
+        .replace(/[\x00-\x08\x0B-\x0C\x0E-\x1F\x7F-\x9F]/g, '');
+    return sanitized;
+}
+/**
+ * Truncate test output to prevent overwhelming the LLM
+ * @param output Test output string
+ * @param maxLength Maximum length (default 5000 chars)
+ * @returns Truncated and sanitized output with notice if truncated
+ */
+export function truncateTestOutput(output, maxLength = 5000) {
+    if (!output)
+        return '';
+    // First sanitize to remove ANSI and control characters
+    const sanitized = sanitizeTestOutput(output);
+    if (sanitized.length <= maxLength) {
+        return sanitized;
+    }
+    const truncated = sanitized.substring(0, maxLength);
+    return truncated + `\n\n[Output truncated. Showing first ${maxLength} characters of ${sanitized.length} total.]`;
+}
+/**
+ * Build retry prompt for implementation agent
+ * @param testOutput Test failure output
+ * @param attemptNumber Current attempt number (1-indexed)
+ * @param maxRetries Maximum number of retries
+ * @returns Prompt string for retry attempt
+ */
+export function buildRetryPrompt(testOutput, buildOutput, attemptNumber, maxRetries) {
+    const truncatedTestOutput = truncateTestOutput(testOutput);
+    const truncatedBuildOutput = truncateTestOutput(buildOutput);
+    let prompt = `CRITICAL: Tests are failing. You attempted implementation but verification failed.
+
+This is retry attempt ${attemptNumber} of ${maxRetries}. Previous attempts failed with similar errors.
+
+`;
+    if (buildOutput && buildOutput.trim().length > 0) {
+        prompt += `Build Output:
+\`\`\`
+${truncatedBuildOutput}
+\`\`\`
+
+`;
+    }
+    if (testOutput && testOutput.trim().length > 0) {
+        prompt += `Test Output:
+\`\`\`
+${truncatedTestOutput}
+\`\`\`
+
+`;
+    }
+    prompt += `Your task:
+1. ANALYZE the test/build output above - what is actually failing?
+2. Compare EXPECTED vs ACTUAL results in the errors
+3. Identify the root cause in your implementation code
+4. Fix ONLY the production code (do NOT modify tests unless they're clearly wrong)
+5. Re-run verification
+
+Focus on fixing the specific failures shown above.`;
+    return prompt;
+}
 //# sourceMappingURL=implementation.js.map