zhongwei/gh-ninthspace-claude-code-marketplace-sdd
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
gh-ninthspace-claude-code-m…/commands/story-review.md
Zhongwei Li d97a70be33 Initial commit
2025-11-30 08:44:27 +08:00

20 KiB
Raw Permalink Blame History

/sdd:story-review

Meta

  • Version: 2.0
  • Category: quality-gates
  • Complexity: high
  • Purpose: Move story to review stage and execute comprehensive quality checks

Definition

Purpose: Execute comprehensive code review with project-specific quality gates, linting, testing, security checks, and standards compliance before QA.

Syntax: /sdd:story-review [story_id]

Parameters

Parameter Type Required Default Description Validation
story_id string No current branch Story ID (STORY-YYYY-NNN) Must match format STORY-YYYY-NNN

INSTRUCTION: Execute Story Review

INPUTS

  • story_id: Story identifier (auto-detected from branch if not provided)
  • Project context from /docs/project-context/ directory
  • Story file from /docs/stories/development/[story-id].md
  • Codebase changes since story started

PROCESS

Phase 1: Project Context Loading

  1. CHECK if /docs/project-context/ directory exists
  2. IF missing:
    • SUGGEST running /sdd:project-init first
    • EXIT with initialization guidance
  3. LOAD project-specific review standards from:
    • /docs/project-context/technical-stack.md - Technology stack and tools
    • /docs/project-context/coding-standards.md - Quality standards and thresholds
    • /docs/project-context/development-process.md - Review stage requirements

Phase 2: Story Identification & Validation

  1. IF story_id NOT provided:

    • DETECT current git branch
    • EXTRACT story ID from branch name
    • EXAMPLE: Branch feature/STORY-2025-001-auth → ID STORY-2025-001

  2. VALIDATE story exists:

    • CHECK /docs/stories/development/[story-id].md exists
    • IF NOT found in development:
      • CHECK if already in /docs/stories/review/
      • INFORM user and ask to proceed with re-review
    • IF NOT found anywhere:
      • ERROR: "Story [story-id] not found"
      • EXIT with guidance

  3. READ story file for:

    • Current status
    • Implementation checklist state
    • Acceptance criteria
    • Technical approach

Phase 3: Directory Preparation

  1. ENSURE /docs/stories/review/ directory exists

    • CREATE directory if missing
    • ADD .gitkeep file if directory was created

  2. MOVE story file:

    • FROM: /docs/stories/development/[story-id].md
    • TO: /docs/stories/review/[story-id].md
    • PRESERVE all content and formatting

  3. UPDATE story metadata:

    • Change status from "development" to "review"
    • KEEP existing dates and branch information
    • ADD review start timestamp to progress log

Phase 4: Quality Gate Execution

4.1 Linting & Formatting (Discovered Tools)

  1. IDENTIFY linter from technical-stack.md:

    • PHP/Laravel: vendor/bin/pint
    • Node.js: ESLint, Prettier
    • Python: Black, flake8, pylint
    • Go: gofmt, golint
    • Rust: rustfmt, clippy

  2. RUN discovered linter:

    # Example for Laravel:
vendor/bin/pint --dirty

# Example for Node.js:
npm run lint
npm run format

  3. CAPTURE results:

    • COUNT style violations
    • IDENTIFY auto-fixable issues
    • LIST files modified by auto-fix
    • REPORT remaining manual fixes needed
4.2 Testing (Discovered Framework)

  1. IDENTIFY test framework from technical-stack.md:

    • PHP/Laravel: Pest, PHPUnit
    • Node.js: Jest, Vitest, Mocha
    • Python: pytest, unittest
    • Go: go test
    • Java: JUnit, TestNG

  2. RUN discovered test suite:

    # Example for Laravel Pest:
vendor/bin/pest --coverage

# Example for Node.js:
npm test -- --coverage

  3. ANALYZE test results:

    • PASS/FAIL status for all test types
    • Coverage percentage (unit, feature, browser)
    • Identify untested code paths
    • CHECK coverage meets standards from coding-standards.md
4.3 Security Checks (Discovered Tools)

  1. IDENTIFY security tools from technical-stack.md:

    • PHP/Laravel: composer audit
    • Node.js: npm audit, yarn audit
    • Python: safety check, bandit
    • Go: go mod audit, gosec
    • Java: mvn dependency-check

  2. RUN discovered security scanners:

    # Example for Laravel:
composer audit

# Example for Node.js:
npm audit --production

  3. SCAN for exposed secrets:

    • CHECK for API keys, tokens, passwords
    • VALIDATE environment variable usage
    • REVIEW configuration files

  4. FRAMEWORK-SPECIFIC security checks:

    • Laravel: CSRF tokens, SQL injection prevention, XSS protection
    • React: XSS via dangerouslySetInnerHTML, dependency vulnerabilities
    • Express: Helmet middleware, rate limiting, input validation
4.4 Dependencies Analysis (Discovered Package Manager)

  1. IDENTIFY package manager from technical-stack.md:

    • PHP: Composer
    • Node.js: npm, yarn, pnpm
    • Python: pip, poetry
    • Go: go modules
    • Rust: cargo

  2. CHECK for unused dependencies:

    # Example for Node.js:
npx depcheck

# Example for PHP:
composer show --tree

  3. IDENTIFY outdated packages:

    # Example for Laravel:
composer outdated

# Example for Node.js:
npm outdated

  4. ANALYZE bundle size impact (if frontend):

    • MEASURE before/after bundle sizes
    • IDENTIFY large dependencies
    • SUGGEST optimization opportunities
4.5 Standards Compliance (Discovered Coding Standards)

  1. LOAD naming conventions from coding-standards.md

  2. LOAD file organization patterns

  3. LOAD error handling requirements

  4. LOAD performance guidelines

  5. FRAMEWORK-SPECIFIC compliance checks:

    • React: Component structure, hooks rules, prop-types/TypeScript
    • Vue: Composition API patterns, template conventions, ref naming
    • Laravel: Eloquent usage, Blade conventions, Livewire patterns, route naming
    • Django: Model/View/Template patterns, DRF conventions, ORM best practices
    • Express: Middleware patterns, route organization, error handling

  6. VALIDATE against standards:

    • CHECK naming conventions (files, functions, variables)
    • VERIFY file organization matches project structure
    • ENSURE error handling follows patterns
    • CONFIRM performance guidelines met
4.6 Accessibility Checks (If UI Changes)

  1. DETECT if story includes UI changes

  2. IF UI changes present:

    • CHECK for ARIA labels per coding-standards.md
    • VERIFY keyboard navigation support
    • TEST color contrast ratios (WCAG AA/AAA)
    • VALIDATE semantic HTML usage
    • CHECK screen reader compatibility

  3. FRAMEWORK-SPECIFIC accessibility:

    • React: jsx-a11y rules, focus management
    • Vue: Template accessibility, v-focus directive
    • Laravel Livewire: wire:loading states, wire:target accessibility

Phase 5: Report Generation

  1. COMPILE all check results
  2. GENERATE review report:
📊 CODE REVIEW REPORT
════════════════════════════════════════════════
Story: [STORY-ID] - [Title]
Stack: [Discovered Framework/Language/Tools]
Reviewed: [Timestamp]

✅ PASSED CHECKS:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
[Linting]
  ✓ Laravel Pint: All files formatted (X files checked)
  ✓ No style violations found

[Testing]
  ✓ Pest tests: XX/XX passed
  ✓ Unit coverage: XX% (target: YY% from standards)
  ✓ Feature coverage: XX% (target: YY% from standards)
  ✓ Browser coverage: XX% (target: YY% from standards)

[Security]
  ✓ Composer audit: No vulnerabilities
  ✓ No exposed secrets detected
  ✓ CSRF protection implemented

[Dependencies]
  ✓ No unused dependencies
  ✓ All packages up to date

[Standards]
  ✓ Naming conventions followed
  ✓ File organization matches project structure
  ✓ Error handling implemented
  ✓ Performance guidelines met

[Accessibility] (if UI)
  ✓ ARIA labels present
  ✓ Keyboard navigation functional
  ✓ Color contrast: WCAG AA compliant

⚠️ WARNINGS:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
[Dependencies]
  ⚠ Package "X" has minor update available (current: 1.2.3, latest: 1.2.4)
  ⚠ Bundle size increased by XKB (+Y%)

[Performance]
  ⚠ Method X complexity is high (cyclomatic complexity: N)

❌ FAILURES:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
[Testing]
  ✗ Coverage below threshold: 75% (target: 80%)
  ✗ Missing tests for: ErrorHandlingService.handleTimeout()

[Security]
  ✗ High severity vulnerability in package "Y" (CVE-2024-XXXX)

📈 METRICS:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Test Coverage:       XX% (target: YY% from standards)
Code Quality Score:  X/10 (using discovered metrics)
Bundle Size Impact:  +XKB (+Y%)
Performance Score:   X/100 (using discovered tools)
Complexity Score:    X (average cyclomatic complexity)

🔧 SUGGESTED IMPROVEMENTS:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
[Laravel-specific]
  → Consider eager loading to prevent N+1 queries in TaskController
  → Extract complex query logic to repository pattern
  → Add database indexes for frequently queried columns

[Performance]
  → Cache expensive computations in method X
  → Lazy load heavy components

[Testing]
  → Add browser test for error scenario in feature Y
  → Increase coverage for edge cases in service Z

Phase 6: Story File Updates

  1. UPDATE Implementation Checklist based on review:

    • [x] Feature implementation - IF core functionality complete
    • [x] Unit tests - IF tests pass AND coverage meets standards
    • [x] Integration tests - IF integration tests pass
    • [x] Error handling - IF error scenarios properly handled
    • [x] Loading states - IF UI loading states implemented
    • [x] Performance optimization - IF performance requirements met
    • [x] Accessibility - IF accessibility standards met
    • [x] Security review - IF security checks pass

  2. ADD to Progress Log:

    - [Today]: Moved to review stage
- [Today]: Executed quality gates - [PASSED/FAILED]
  * Linting: [status]
  * Testing: [status] - [XX]% coverage
  * Security: [status]
  * Standards: [status]

  3. RECORD review results:

    • Which tools were used
    • Which standards were applied
    • Coverage percentages achieved
    • Issues found and resolution status

  4. ONLY mark items [x] if they truly pass review criteria

    • BE STRICT with validation
    • PARTIAL completion = NOT checked
    • MUST meet coding-standards.md thresholds

Phase 7: Next Actions

  1. DETERMINE review outcome:

    • IF all critical checks PASS → Ready for /sdd:story-qa
    • IF any failures → Requires /sdd:story-refactor
    • IF documentation needed → Run /sdd:story-document

  2. DISPLAY next steps:

    💡 NEXT STEPS:
════════════════════════════════════════════════

[IF PASSED:]
✅ All quality gates passed
1. /sdd:story-qa [story-id]           # Move to QA and run test suite

[IF FAILED:]
⚠️ X critical issues must be fixed
1. /sdd:story-refactor [story-id]     # Return to development
2. Fix identified issues:
   - [Issue 1]
   - [Issue 2]
3. /sdd:story-review [story-id]       # Re-run review after fixes

[IF WARNINGS:]
⚠️ X warnings (non-blocking)
1. /sdd:story-qa [story-id]           # Proceed to QA (warnings won't block)
2. Consider addressing warnings in future iteration

[AVAILABLE COMMANDS:]
- /sdd:story-document [story-id]      # Add/update documentation
- /sdd:story-status [story-id]        # View detailed story status

  3. SHOW relevant debugging commands for discovered stack:

    # Laravel:
vendor/bin/pint --test          # Check formatting without fixing
vendor/bin/pest --filter=Unit   # Run specific test suite
composer audit                   # Re-run security scan

# Node.js:
npm run lint:fix                 # Auto-fix linting issues
npm test -- --coverage           # Run tests with coverage
npm audit fix                    # Fix security vulnerabilities

OUTPUTS

  • /docs/stories/review/[story-id].md - Updated story file with review results
  • Code review report (displayed to user)
  • Updated Implementation Checklist with validation status
  • Progress log entry with review timestamp

RULES

  • MUST load project context before running any checks
  • MUST use discovered tools from technical-stack.md
  • MUST validate against coding-standards.md thresholds
  • MUST move story file from development to review
  • SHOULD run all applicable quality gates for stack
  • SHOULD capture detailed metrics for analysis
  • NEVER mark checklist items complete unless they truly pass
  • NEVER skip security checks
  • ALWAYS update progress log with review results
  • ALWAYS provide actionable feedback for failures

Examples

Example 1: Review with All Checks Passing

INPUT:
/sdd:story-review STORY-2025-001

OUTPUT:
→ Loading project context...
  ✓ technical-stack.md: Laravel + Pest + Playwright
  ✓ coding-standards.md: 80% coverage target, Laravel Pint
  ✓ development-process.md: Review stage requirements

→ Moving story to review...
  ✓ Moved STORY-2025-001.md to /docs/stories/review/

→ Running quality gates...
  [Linting] Running Laravel Pint...
    ✓ 15 files formatted, 0 violations

  [Testing] Running Pest...
    ✓ Unit tests: 45/45 passed
    ✓ Feature tests: 23/23 passed
    ✓ Browser tests: 8/8 passed
    ✓ Coverage: 87% (target: 80%)

  [Security] Running Composer audit...
    ✓ No vulnerabilities found
    ✓ No exposed secrets

  [Standards] Checking Laravel conventions...
    ✓ Eloquent usage follows best practices
    ✓ Livewire patterns correct
    ✓ Blade conventions followed

📊 CODE REVIEW REPORT
════════════════════════════════════════════════
Story: STORY-2025-001 - User Authentication System
Stack: Laravel 12, Livewire 3, Pest 4, Playwright
Reviewed: 2025-10-01 14:23:45

✅ ALL CHECKS PASSED

📈 METRICS:
Test Coverage:       87% (target: 80%)
Code Quality Score:  9.2/10
Bundle Size Impact:  +12KB (+3%)
Performance Score:   94/100

💡 NEXT STEPS:
════════════════════════════════════════════════
✅ All quality gates passed
1. /sdd:story-qa STORY-2025-001          # Move to QA and run test suite

Example 2: Review with Failures

INPUT:
/sdd:story-review

OUTPUT:
→ Detecting story from current branch...
  ✓ Current branch: feature/STORY-2025-003-dark-mode
  ✓ Story ID: STORY-2025-003

→ Loading project context...
  ✓ technical-stack.md: Laravel + Pest + Playwright
  ✓ coding-standards.md: 80% coverage target

→ Moving story to review...
  ✓ Moved STORY-2025-003.md to /docs/stories/review/

→ Running quality gates...
  [Testing] Running Pest...
    ✓ Unit tests: 12/12 passed
    ✗ Feature tests: 4/5 passed (1 failed)
    ✓ Browser tests: 3/3 passed
    ✗ Coverage: 68% (target: 80%)

  [Security] Running Composer audit...
    ✗ 1 high severity vulnerability found

📊 CODE REVIEW REPORT
════════════════════════════════════════════════
Story: STORY-2025-003 - Dark Mode Toggle
Stack: Laravel 12, Livewire 3, Pest 4
Reviewed: 2025-10-01 15:45:12

❌ FAILURES:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
[Testing]
  ✗ Coverage below threshold: 68% (target: 80%)
  ✗ Missing tests for: DarkModeService.applyTheme()
  ✗ Feature test failed: tests/Feature/DarkModeTest.php

[Security]
  ✗ High severity vulnerability in package "laravel/framework"
    CVE-2024-12345 - Update to v12.1.5

💡 NEXT STEPS:
════════════════════════════════════════════════
⚠️ 3 critical issues must be fixed
1. /sdd:story-refactor STORY-2025-003     # Return to development
2. Fix identified issues:
   - Add tests for DarkModeService.applyTheme()
   - Fix failing feature test
   - Update Laravel framework to v12.1.5
3. /sdd:story-review STORY-2025-003       # Re-run review after fixes

[DEBUGGING COMMANDS:]
vendor/bin/pest --filter=DarkMode      # Run specific test
composer update laravel/framework      # Update vulnerable package

Example 3: Re-review Already in Review

INPUT:
/sdd:story-review STORY-2025-002

OUTPUT:
→ Loading project context...
  ✓ technical-stack.md loaded

→ Validating story location...
  ⚠️ Story STORY-2025-002 already in review stage
   Running re-review with updated checks

→ Running quality gates...
  [All checks execute...]

📊 CODE REVIEW REPORT (RE-REVIEW)
════════════════════════════════════════════════
Story: STORY-2025-002 - Payment Integration
Stack: Laravel 12, Stripe SDK
Reviewed: 2025-10-01 16:12:33 (2nd review)

✅ ALL CHECKS PASSED

Edge Cases

No Project Context

  • DETECT missing /docs/project-context/ directory
  • SUGGEST running /sdd:project-init
  • OFFER to run basic checks without discovered standards
  • WARN that review will be incomplete

Story Not in Development

  • CHECK if story in /docs/stories/review/
  • IF found: ASK user if they want to re-review
  • IF in /docs/stories/qa/: ERROR and suggest /sdd:story-refactor first
  • IF in /docs/stories/completed/: ERROR "Story already shipped"

Missing Test Framework

  • DETECT if testing tool not installed
  • PROVIDE installation instructions for discovered stack
  • SKIP test checks with warning
  • MARK review as INCOMPLETE

Security Vulnerabilities Found

  • BLOCK progression to QA if HIGH/CRITICAL severity
  • ALLOW progression if LOW/MEDIUM with warning
  • PROVIDE update/fix commands
  • LOG all vulnerabilities in review report

Coverage Below Threshold

  • CALCULATE gap to target (e.g., 68% vs 80% = 12% gap)
  • IDENTIFY specific untested files/methods
  • SUGGEST test cases to add
  • BLOCK progression if below threshold

Tool Execution Failures

  • CATCH and log tool errors
  • CONTINUE with remaining checks
  • MARK affected section as INCOMPLETE
  • SUGGEST manual verification

Error Handling

  • Missing /docs/project-context/: Suggest /sdd:project-init, offer basic review
  • Story file not found: Check all directories, provide helpful guidance
  • Tool not installed: Provide installation commands for stack
  • Permission errors: Report specific file/directory access issue
  • Git errors: Validate git state, suggest resolution
  • Test failures: Capture full output, suggest debugging steps

Performance Considerations

  • Run linting/formatting in parallel with security scans
  • Cache project context for session (don't re-read every time)
  • Stream test output in real-time (don't wait for completion)
  • Limit coverage analysis to changed files when possible

Related Commands

  • /sdd:story-refactor [id] - Return to development to fix issues
  • /sdd:story-qa [id] - Proceed to QA after passing review
  • /sdd:story-document [id] - Add documentation before QA
  • /sdd:story-status [id] - Check current story state
  • /sdd:project-context - Update project standards

Constraints

  • MUST load project context before any checks
  • MUST move story file to review directory
  • MUST run all applicable quality gates
  • MUST validate against coding-standards.md
  • ⚠️ NEVER skip security checks
  • ⚠️ NEVER mark checklist items complete without validation
  • 📋 SHOULD provide actionable feedback for all failures
  • 🔧 SHOULD suggest framework-specific improvements
  • 💾 MUST update progress log with timestamp
  • 🚫 BLOCK QA progression if critical checks fail
Reference in New Issue View Git Blame Copy Permalink