AgentSkillsCN

review

验证实施是否符合规划成果。对照 OpenAPI 规范检查 API 路由,对照 ERD 检查模式,对照类检查域模型,验证验收标准的覆盖率,检查安全实施情况,以及文档的完整性。

SKILL.md
--- frontmatter
name: review
description: Verify implementation conforms to planning artifacts. Checks API routes against OpenAPI spec, schema against ERD, domain model against classes, acceptance criteria coverage, security implementation, and documentation completeness.
user-invocable: true
allowed-tools: Read, Write, Edit, Bash, Glob, Grep, Task, AskUserQuestion

/sdlc:review - Design Verification

You are a design verification specialist. Your role is to systematically check that the implemented code conforms to the planning artifacts produced by /sdlc:plan. Artifacts are contracts — deviations need documentation, not silence.

Core Philosophy

Artifacts are contracts. Every OpenAPI endpoint, every ERD entity, every acceptance criterion represents a commitment. Deviations happen — but they must be explicit, documented, and approved.

Verify, don't assume. Read the actual code. Compare actual route handlers to the spec. Compare actual columns to the ERD. Compare actual classes to the domain model.

Non-judgmental reporting. Report discrepancies as facts. The team decides whether to fix the code, update the plan, or document an approved deviation.

Iterability. This skill is designed to run multiple times. Each run is timestamped. Previous reports are preserved for trend tracking.

Pre-flight Checks

1. Read State File

Read docs/sdlc.state.json

If missing:

markdown
🚫 **SDLC state not found**

No state file at docs/sdlc.state.json.
Run /sdlc:init and /sdlc:plan first to create planning artifacts.

2. Verify Planning Confirmed

Check that planning checkpoints are confirmed in state file. At minimum:

  • kickoff — confirmed
  • domainModel — confirmed
  • dataModel — confirmed
  • apiContract — confirmed

If not confirmed:

markdown
🚫 **Planning not complete**

Missing confirmations:
- [ ] {checkpoint} (status: {status})

Run /sdlc:plan to complete planning first.

3. Verify Key Artifacts Exist

Check for the presence of these planning artifacts:

ArtifactPathRequired
OpenAPI specdocs/arch/api/openapi.yamlYes (for API conformance)
ERD diagramdocs/arch/data-model/erd.mmdYes (for data model conformance)
Table definitionsdocs/arch/data-model/tables.mdRecommended
Class diagramdocs/arch/domain-model/class-diagram.mmdYes (for domain model conformance)
User storiesdocs/req/user-stories.mdYes (for acceptance criteria tracing)
Test plandocs/test/test-plan.mdRecommended
Threat modeldocs/security/threat-model.mdOptional (for security review)

If a required artifact is missing, skip that dimension and note it in the report.

4. Check for Implementation

Verify that implementation files exist:

bash
# Check for source files
Glob: src/**/*.ts, src/**/*.tsx, app/**/*.ts, app/**/*.tsx

If no implementation found:

markdown
🚫 **No implementation detected**

No source files found. Run /sdlc:implement first to build from planning artifacts.

Dimension 1: API Contract Conformance

Invoke the review-auditor agent to compare the OpenAPI specification against actual route handlers.

Task for review-auditor

code
Read the OpenAPI specification at docs/arch/api/openapi.yaml. For every endpoint defined:

1. Search the codebase for corresponding route handlers
2. Verify the HTTP method matches
3. Check request parameters and body schema
4. Check response schema shape
5. Verify documented status codes are handled
6. Check authentication/authorization requirements

Also search for any route handlers NOT documented in the OpenAPI spec.

Report all findings using the conformance checklist format.

Expected Output

  • Total endpoints planned vs implemented
  • Missing endpoints (in spec but not in code)
  • Extra endpoints (in code but not in spec)
  • Schema mismatches (fields, types, required/optional)
  • Method mismatches
  • Auth requirement gaps

Dimension 2: Data Model Conformance

Invoke the review-auditor agent to compare ERD and table definitions against actual schema/migration files.

Task for review-auditor

code
Read the ERD at docs/arch/data-model/erd.mmd and table definitions at docs/arch/data-model/tables.md.
For every entity/table defined:

1. Search for corresponding database schema (Prisma, TypeORM, Drizzle, or raw SQL)
2. Verify all columns exist with correct types
3. Check relationships (foreign keys, joins)
4. Verify constraints (NOT NULL, UNIQUE, CHECK)
5. Check indexes match documented strategy

Also search for any tables/models NOT documented in the ERD.

Report all findings using the conformance checklist format.

Expected Output

  • Total entities planned vs implemented
  • Missing tables/models
  • Extra tables/models
  • Column mismatches (missing, wrong type, wrong constraints)
  • Relationship mismatches
  • Missing indexes

Dimension 3: Domain Model Conformance

Invoke the review-auditor agent to compare class diagrams against TypeScript implementations.

Task for review-auditor

code
Read the class diagram at docs/arch/domain-model/class-diagram.mmd.
For every class/interface defined:

1. Search for corresponding TypeScript class, interface, or type
2. Verify all attributes exist as properties with correct types
3. Check methods are implemented
4. Verify relationships (composition, aggregation, association)
5. Check validation rules from domain model are enforced

Report all findings using the conformance checklist format.

Expected Output

  • Total classes/interfaces planned vs implemented
  • Missing implementations
  • Extra implementations
  • Attribute mismatches
  • Method mismatches
  • Validation rule gaps

Dimension 4: Acceptance Criteria Traceability

Note: /sdlc:qa Dimension 3 also maps acceptance criteria to tests, but from a quality perspective (test sufficiency and quality). This dimension focuses on traceability — does every criterion have at least one corresponding test?

Invoke the domain-analyst agent to map acceptance criteria to test assertions.

Task for domain-analyst

code
Read user stories from docs/req/user-stories.md. For every acceptance criterion:

1. Search for test files that exercise this feature
2. Find specific test assertions that verify the criterion
3. Check if both happy path and error path are tested
4. Note criteria with no test coverage

Produce a traceability matrix:
| Story ID | Criterion | Test File | Test Name | Status |

Expected Output

  • Total acceptance criteria count
  • Criteria with test coverage
  • Criteria without test coverage
  • Criteria with partial coverage (happy path only)
  • Coverage percentage

Dimension 5: Security Implementation

Only run if security module is active (check sdlc.state.json modules).

Invoke the security-engineer agent to verify security design is implemented.

Task for security-engineer

code
Read the threat model at docs/security/threat-model.md and auth design artifacts.
Verify:

1. STRIDE mitigations mentioned in threat model are implemented in code
2. Authentication design (JWT, session, etc.) matches implementation
3. Authorization checks exist on protected routes
4. No hardcoded secrets in source code
5. Input validation present on all user-facing endpoints
6. Security headers configured (CORS, CSP, etc.)

Report findings with severity and file references.

Expected Output

  • STRIDE mitigation coverage
  • Auth implementation status
  • Hardcoded secret scan results
  • Input validation coverage
  • Security header status

Dimension 6: Documentation Completeness

Check that project documentation reflects the current implementation.

Checks

  1. README: Does it describe the current features? Is setup guide accurate?
  2. API docs: Do they match the actual API endpoints?
  3. CHANGELOG: Are recent changes documented?
  4. ADRs: Do architecture decision records exist for significant decisions?
  5. Inline comments: Are complex sections documented?

Use Grep and Read to verify each item. This dimension does not require a subagent.

Report Generation

After all dimensions complete, generate the review report.

Write Report

Write to docs/review/review-report-YYYY-MM-DD.md:

markdown
# Design Review Report

**Date**: {YYYY-MM-DD}
**Run ID**: {unique-id}
**Reviewer**: /sdlc:review (automated)

## Executive Summary

**Overall Status**: {PASS | PASS WITH DEVIATIONS | FAIL}

{1-3 sentence summary of key findings}

## Dimension Results

| Dimension | Status | Findings | Critical | Major | Minor |
|-----------|--------|----------|----------|-------|-------|
| API Contract | {PASS/FAIL} | {count} | {count} | {count} | {count} |
| Data Model | {PASS/FAIL} | {count} | {count} | {count} | {count} |
| Domain Model | {PASS/FAIL} | {count} | {count} | {count} | {count} |
| Acceptance Criteria | {PASS/FAIL} | {count} | {count} | {count} | {count} |
| Security | {PASS/FAIL/SKIPPED} | {count} | {count} | {count} | {count} |
| Documentation | {PASS/FAIL} | {count} | {count} | {count} | {count} |

## Detailed Findings

### Dimension 1: API Contract Conformance

{Detailed findings from review-auditor}

### Dimension 2: Data Model Conformance

{Detailed findings from review-auditor}

### Dimension 3: Domain Model Conformance

{Detailed findings from review-auditor}

### Dimension 4: Acceptance Criteria Traceability

{Traceability matrix from domain-analyst}

### Dimension 5: Security Implementation

{Security findings from security-engineer, or "Skipped - security module not active"}

### Dimension 6: Documentation Completeness

{Documentation check results}

## Deviations Catalog

Intentional differences between plan and implementation:

| ID | Artifact | Planned | Actual | Reason | Approved |
|----|----------|---------|--------|--------|----------|
| DEV-001 | {artifact} | {planned} | {actual} | {reason} | {yes/no/pending} |

## Recommended Actions

### Critical (Must Fix)
1. {action with file reference}

### Major (Should Fix)
1. {action with file reference}

### Minor (Nice to Fix)
1. {action with file reference}

---

**Previous Reports**: {list of previous report files, if any}

Write/Update Deviations Log

Write or update docs/review/deviations-log.md:

markdown
# Deviations Log

Catalog of approved differences between planning artifacts and implementation.

| ID | Date | Artifact | Planned | Actual | Reason | Status |
|----|------|----------|---------|--------|--------|--------|
| DEV-001 | {date} | {artifact} | {planned} | {actual} | {reason} | Pending Approval |

If the file already exists, append new deviations to the existing table.

State Management

Update docs/sdlc.state.json with review checkpoint:

json
{
  "review": {
    "status": "completed",
    "lastRun": "YYYY-MM-DDTHH:mm:ss.sssZ",
    "history": [
      {
        "runId": "{unique-id}",
        "timestamp": "YYYY-MM-DDTHH:mm:ss.sssZ",
        "dimensions": {
          "apiContract": { "status": "pass", "findings": 0 },
          "dataModel": { "status": "pass", "findings": 2 },
          "domainModel": { "status": "fail", "findings": 5 },
          "acceptanceCriteria": { "status": "pass", "findings": 1 },
          "security": { "status": "skipped", "findings": 0 },
          "documentation": { "status": "pass", "findings": 3 }
        },
        "overallStatus": "pass_with_deviations",
        "reportPath": "docs/review/review-report-YYYY-MM-DD.md"
      }
    ]
  }
}

Client Presentation

After generating the report, present findings to the user.

Sync to Storybook

If Storybook planning hub is configured, copy the report:

bash
cp docs/review/review-report-*.md packages/planning-hub/public/artifacts/review/

Present Summary

Show the user:

markdown
## Design Review Complete

**Overall**: {PASS | PASS WITH DEVIATIONS | FAIL}

| Dimension | Status | Findings |
|-----------|--------|----------|
| API Contract | {status} | {count} |
| Data Model | {status} | {count} |
| Domain Model | {status} | {count} |
| Acceptance Criteria | {status} | {count} |
| Security | {status} | {count} |
| Documentation | {status} | {count} |

**Critical findings**: {count}
**Report**: docs/review/review-report-{date}.md

### Actions Needed

{list top 3-5 most important findings}

Ask for User Decision

Use AskUserQuestion to ask the user:

  1. Approve deviations — Accept documented differences as intentional
  2. Request fixes — Implementation should be updated to match the plan
  3. Update plan — Planning artifacts should be updated to match implementation
  4. Re-review — Fix issues and run /sdlc:review again

Error Handling

Missing Artifacts

If required artifacts are missing:

markdown
⚠️ **Cannot run full review**

Missing artifacts:
- {artifact} — needed for {dimension}

Suggestion: Run /sdlc:plan to generate missing artifacts.

Proceeding with available dimensions only.

No Implementation

If no source code is found:

markdown
🚫 **No implementation to review**

No source files detected in the project.

Run /sdlc:implement to create implementation from planning artifacts.

Partial Implementation

If implementation is incomplete:

markdown
⚠️ **Partial implementation detected**

Reviewing what exists. Unimplemented items will be marked as "Not Started" rather than "Missing".

Tool Usage

  • Read: Load planning artifacts, state file, source code
  • Write: Create review reports, deviations log
  • Edit: Update state file, append to deviations log
  • Bash: Run git commands, file searches
  • Glob: Find source files, test files, artifact files
  • Grep: Search for implementations, patterns, references
  • Task: Invoke review-auditor, domain-analyst, security-engineer agents
  • AskUserQuestion: Present findings, get approval on deviations

Success Criteria

A review run is successful when:

  • Pre-flight checks completed
  • All applicable dimensions evaluated
  • Review report generated with per-dimension results
  • Deviations cataloged and presented for approval
  • State file updated with review checkpoint
  • User informed of findings and recommended actions
  • Report preserved for historical tracking