Best use case
sdd-review — Post-Implementation Code Review is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
## Slash Command
Teams using sdd-review — Post-Implementation Code Review should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/sdd-review/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How sdd-review — Post-Implementation Code Review Compares
| Feature / Agent | sdd-review — Post-Implementation Code Review | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
## Slash Command
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
Best AI Skills for Claude
Explore the best AI skills for Claude and Claude Code across coding, research, workflow automation, documentation, and agent operations.
AI Agents for Coding
Browse AI agent skills for coding, debugging, testing, refactoring, code review, and developer workflows across Claude, Cursor, and Codex.
Cursor vs Codex for AI Workflows
Compare Cursor and Codex for AI coding workflows, repository assistance, debugging, refactoring, and reusable developer skills.
SKILL.md Source
# sdd-review — Post-Implementation Code Review
## Slash Command
```
/sdd-review <slug>
```
## Purpose
Run code review and security review on all changes introduced by the feature branch. Append structured findings to `review.md`. Does NOT auto-apply fixes — only proposes them.
---
## Prerequisites
- `sdd-impl` has completed: all tasks in `progress.md` are `done` (or at least one is `done`; partial reviews are allowed).
- The feature branch must have at least one commit ahead of `main`.
---
## Input Files
| File | Purpose |
| -------------------------------------- | ----------------------------------------------------- |
| `.claude/specs/<slug>/requirements.md` | Acceptance criteria to compare against implementation |
| `.claude/specs/<slug>/tasks.md` | Task scope (which files were changed) |
| `.claude/specs/<slug>/progress.md` | Task completion status and mode setting |
| `.claude/specs/<slug>/review.md` | Append-only — existing content is preserved |
---
## Mode Behavior
Both `standard` and `auto` modes run the same two reviews. The mode difference is in how findings are presented:
| Aspect | `standard` (engineer-led) | `auto` (AI-led) |
| ------------------------ | ---------------------------------------------- | -------------------------------------------------- |
| CRITICAL / HIGH findings | Listed in `review.md`, engineer decides action | Auto-fix proposals generated inline in `review.md` |
| MEDIUM / LOW findings | Listed, engineer decides | Listed, no auto-proposals |
| Fix application | Never auto-applied | Never auto-applied |
---
## Steps
### 1. Get the Feature Diff
```bash
git diff main...HEAD
git log main...HEAD --oneline
```
If the project uses a different base branch (e.g., `develop`), use that. The base branch defaults to `main` unless `progress.md` specifies otherwise.
Both the diff and the log serve as input for both review steps.
### 2. Code Review (Step 1)
Invoke Claude Code's native `code-review` skill with `--effort high`.
Focus areas for this project:
| Area | What to check |
| -------------- | ------------------------------------------------------------------------------- |
| Correctness | Logic matches acceptance criteria in `requirements.md` |
| Type safety | No `any`, Utility Types used correctly (`Pick`, `Omit`, `Record`) |
| Error handling | `better-result` used; `.match({err, ok})` with `err` before `ok` (alphabetical) |
| API layer | `Result.tryPromise` with `catch` before `try` (alphabetical) |
| Import paths | `~/` alias everywhere — no relative imports |
| Exports | No `export default` outside `src/pages/` and `*.config.*` |
| Test coverage | Tests co-located with source; `getByRole` used; no `getByTestId` |
| Immutability | No direct object mutation |
| Comments | Non-obvious logic has Japanese comments explaining WHY, not WHAT |
| File size | Source files under 800 lines; ideally 200–400 lines |
| Console logs | No `console.log` present |
| Memoization | No `useMemo` / `useCallback` added unnecessarily |
| Mantine usage | Mantine props used before Tailwind; `cn()` only for layout wrappers |
### 3. Security Review (Step 2)
Invoke the ECC `security-review` skill.
Focus areas:
| Area | What to check |
| --------------------- | ---------------------------------------------------------------------------------------- |
| Secrets | No hardcoded API keys, tokens, or passwords |
| Input validation | User input validated with Valibot at system boundaries |
| Authentication | Auth headers handled only in `src/lib/api-client.ts` |
| XSS | No `dangerouslySetInnerHTML` without sanitization |
| Sensitive data | No PII/credentials in error messages, URLs, or logs |
| Environment variables | Sensitive values use `import.meta.env.VITE_*` or `process.env.*`; fail fast if undefined |
### 4. Append to `review.md`
Append two new sections to `.claude/specs/<slug>/review.md`. Preserve all existing content above.
```markdown
## Code Review (YYYY-MM-DD)
> Scope: git diff main...HEAD — N files changed
### CRITICAL
- [ ] [FILE:LINE] Description of critical issue
### HIGH
- [ ] [FILE:LINE] Description of high-priority issue
### MEDIUM
- [ ] [FILE:LINE] Description of medium-priority issue
### LOW
- [ ] [FILE:LINE] Description of low-priority issue
### Passed Checks
- Type safety: all props use Utility Types correctly
- Import paths: ~/ alias used throughout
- (other passing items)
---
## Security Review (YYYY-MM-DD)
> Scope: git diff main...HEAD
### CRITICAL
(none)
### HIGH
- [ ] [FILE:LINE] Description of security issue
### MEDIUM
- [ ] [FILE:LINE] Description of security issue
### LOW
(none)
### Passed Checks
- No hardcoded secrets found
- Input validation present at API boundaries
- (other passing items)
```
Use `YYYY-MM-DD` format for the date (e.g., `2026-05-26`).
### 5. Auto-Fix Proposals (`auto` mode only)
For each CRITICAL or HIGH finding, append a proposal block immediately after the finding item:
````markdown
- [ ] [src/features/foo/api/mutations.ts:42] Using try/catch instead of better-result
**Proposed fix:**
```typescript
// Before
try {
const res = await apiClient.api.v1.foos.$post({ body: params })
return res
} catch (err) {
throw err
}
// After
return Result.tryPromise({
catch: toApiError,
try: async () => {
return await apiClient.api.v1.foos.$post({ body: params })
},
})
```
````
```
Do NOT apply the fix. The engineer applies it manually or addresses it before running `sdd-pr`.
---
## Output Files Modified
| File | Change |
|---|---|
| `.claude/specs/<slug>/review.md` | Two sections appended: `## Code Review` + `## Security Review` |
No source files are modified by this skill.
---
## Approval Gate
```
== PHASE COMPLETE: sdd-review ==
Artifact: .claude/specs/<slug>/review.md
Summary:
- Code review complete: 0 CRITICAL, 2 HIGH, 3 MEDIUM, 1 LOW
- Security review complete: 0 CRITICAL, 1 HIGH, 0 MEDIUM
- Total open issues requiring action: 3 HIGH
- Auto-fix proposals generated for all HIGH findings (auto mode only)
- No source files were modified
⏸ WAITING FOR CONFIRMATION
Type `CONFIRM sdd-pr` to proceed to PR creation, or describe changes needed.
```
> **Warning**: If any CRITICAL findings remain unresolved, the gate message will prominently flag this. Proceeding to `sdd-pr` with open CRITICAL issues is strongly discouraged — resolve them first and re-run `/sdd-review <slug>`.
```Related Skills
Skill: sdd-review-requirements
## Invocation
sdd-review-plan
**Slash command**: `/sdd-review-plan <slug>`
test
Advanced test implementation command with unit/E2E support, auto-execution, and smart fixing capabilities
serena
Token-efficient Serena MCP command for structured app development and problem-solving
project-guidelines-example
Example project-specific skill template based on a real production application.
notion-bug-pr
Skill that pulls bug tickets (titles containing 「不具合」) from a Notion database, investigates root cause in a GitHub repo, applies fixes, and opens draft PRs. Supports three modes — daily recurring schedule, one-shot at a specific time, or immediate on-demand run. Takes three or four args: Notion database URL, repo path or name, and either HH:MM (daily), "once HH:MM" (one-shot), or "now" (immediate).
graphify
any input (code, docs, papers, images, videos) to knowledge graph. Use when user asks any question about a codebase, documents, or project content - especially if graphify-out/ exists, treat the question as a /graphify query.
chrome
Comprehensive Chrome DevTools development system with native Chrome capabilities for debugging, E2E testing, performance analysis, and browser automation
webapp-testing
Toolkit for interacting with and testing local web applications using Playwright. Supports verifying frontend functionality, debugging UI behavior, capturing browser screenshots, and viewing browser logs.
web-design-guidelines
Review UI code for Web Interface Guidelines compliance. Use when asked to "review my UI", "check accessibility", "audit design", "review UX", or "check my site against best practices".
typescript-advanced-types
Master TypeScript's advanced type system including generics, conditional types, mapped types, template literals, and utility types for building type-safe applications. Use when implementing complex type logic, creating reusable type utilities, or ensuring compile-time type safety in TypeScript projects.
tanstack-start
Full-stack React framework powered by TanStack Router with SSR, streaming, server functions, and deployment to any hosting provider.