// Design Doc compliance and security validation with optional auto-fixes.
Documentation creation criteria for PRD, ADR, Design Doc, UI Spec, and Work Plan with templates. Use when: creating or reviewing technical documents, determining which documents are required, or following document templates.
Execute decomposed backend tasks in autonomous execution mode using task-executor and quality-fixer.
Execute frontend tasks in autonomous execution mode using task-executor-frontend and quality-fixer-frontend.
Create frontend work plan from design document with test skeleton generation.
Frontend Design Doc compliance and security validation with optional auto-fixes using React-specific quality checks.
Execute decomposed fullstack tasks with layer-aware agent routing between backend and frontend executors.
| name | recipe-review |
| description | Design Doc compliance and security validation with optional auto-fixes. |
coding-rules — coding standardstesting — test strategy and quality gatesai-development-guide — AI development patternsSpawn rule: every spawn_agent call MUST pass fork_turns="none" or fork_context=false for context isolation.
Context: Post-implementation quality assurance
Core Identity: "I am not a worker. I am an orchestrator."
First Action: Register Steps 1-11 before any execution.
Orchestrator spawns sub-agents and passes structured data between them.
Design Doc (uses most recent if omitted): $ARGUMENTS
Identify Design Doc in docs/design/ and check implementation files via git diff.
If a single active work plan is explicitly provided or unambiguously resolved for that Design Doc, read its Review Scope line. Otherwise set Work Plan: none and Review Scope: none; do not infer.
Spawn code-reviewer agent: "Validate Design Doc compliance for the implementation. Design Doc path: [path]. Work Plan: [resolved work plan path or none]. Review Scope: [literal Review Scope value or none]. Implementation files: [git diff file list]. Review mode: full. Return structured JSON report per your Output Format specification."
Store output as: $STEP_2_OUTPUT
Spawn security-reviewer agent: "Design Doc: [path]. Implementation files: [file list from git diff in Step 1]. Review security compliance."
Store output as: $STEP_3_OUTPUT and $STEP_1_FILES (the initial file list)
If security-reviewer returned blocked: Stop immediately. Report the blocked finding and escalate to user. Do not proceed to fix steps.
Code compliance criteria (considering project stage):
Security criteria:
approved or approved_with_notes -> Passneeds_revision -> FailReport both results independently using subagent output fields only (do not add fields that are not in the subagent response):
Code Compliance: [complianceRate from code-reviewer]
Verdict: [verdict from code-reviewer]
Identifier Match Rate: [identifierMatchRate from code-reviewer]
Acceptance Criteria:
- [fulfilled] [item] (confidence: [high/medium/low])
- [partially_fulfilled] [item]: [gap] — [suggestion]
- [unfulfilled] [item]: [gap] — [suggestion]
Identifier Mismatches (show only mismatches; write `None` if all identifiers match):
- None
- [identifier]: DD=[designDocValue] Code=[codeValue] at [location] (confidence: [high/medium/low])
Quality Findings:
- [category] [location]: [description] — [rationale]
Security Review: [status from security-reviewer]
Findings by category:
- [confirmed_risk] [location]: [description] — [rationale]
- [defense_gap] [location]: [description] — [rationale]
- [hardening] [location]: [description] — [rationale]
- [policy] [location]: [description] — [rationale]
Notes: [notes from security-reviewer, if present]
Resolve discrepancies by route:
c) Code-side fix
d) Design-side update
s) Skip
Default: accept all recommended routes.
Accepted response formats:
- empty input -- accept every recommended route
- `all-recommended` -- accept every recommended route
- `all:c`, `all:d`, or `all:s` -- apply one route to every finding
- Per-finding routes, e.g. `F1:c, F2:d, F3:s`
Before presenting results, recommend a route for each finding:
d when implementation intent matches the requirement but the Design Doc is stale or too narrow.c when code drifted from a still-correct Design Doc, or when the finding is reliability, security, or maintainability related.s only when the user explicitly accepts the current state without changes.[STOP — BLOCKING] Present results and recommended routes to user for confirmation. CANNOT proceed until user explicitly confirms routes.
If all findings are skipped: Skip Steps 5-10, proceed to Step 11.
Reference documentation-criteria skill for task file template.
Run this step only when the user routes at least one finding to d.
docs/design/, spawn design-sync agent: "Check cross-Design Doc consistency after updating [path]."d and c routes, re-evaluate the c findings against the updated Design Doc and drop any that are now satisfied.Create task file at docs/plans/tasks/review-fixes-YYYYMMDD.md
Include only code-side compliance issues and security requiredFixes routed to c.
Spawn task-executor agent: "Execute review fixes. Task file: docs/plans/tasks/review-fixes-YYYYMMDD.md. Apply staged fixes (stops at 5 files)."
Spawn quality-fixer agent: "Confirm quality gate passage for fixed files."
Spawn code-reviewer agent: "Re-validate Design Doc compliance after fixes. Prior compliance issues: $STEP_2_OUTPUT. Verify each prior issue is resolved."
Spawn security-reviewer agent: "Re-validate security after fixes. Prior findings: $STEP_3_OUTPUT. Design Doc: [path]. Implementation files: [union of $STEP_1_FILES and task-executor filesModified from Step 7, deduplicated]."
Delete the review-fix task file this recipe created, if present. Its work is committed; docs/plans/ is ephemeral working state.
Code Compliance:
Initial: [X]%
Final: [Y]% (if fixes executed)
Security Review:
Initial: [status]
Final: [status] (if fixes executed)
Notes: [notes from approved_with_notes, if any]
Remaining issues:
- [items requiring manual intervention]
Scope: Design Doc compliance validation, security review, and auto-fixes.