/review-sdlc — Multi-Dimension Code Review

Overview

Loads project review dimensions from .claude/review-dimensions/, matches them to changed files via glob patterns, dispatches parallel review subagents for each matching dimension, deduplicates findings, and posts a consolidated comment to the PR. By default reviews committed branch changes plus staged changes. Requires at least one dimension file — run /setup-sdlc --dimensions first if none exist.

---

Usage

/review-sdlc

---

Flags

Flag	Description	Default
--base <branch>	Compare against this branch instead of auto-detected base	auto-detected
--committed	Review only committed branch changes (excludes staged)	—
--staged	Review only staged changes vs HEAD	—
--working	Review all uncommitted changes vs HEAD (staged + unstaged)	—
--worktree	Review full working tree vs base: committed + staged + unstaged	—
--set-default	Save the resolved scope to .claude/review.json as the project default	—
--dimensions <name,...>	Run only the named dimensions (comma-separated)	all matching
--dry-run	Show the review plan without dispatching subagents	—

Scope flags: --committed, --staged, --working, and --worktree are mutually exclusive. --staged and --working cannot be combined with --base.

---

Examples

Run a full review (committed + staged changes)

/review-sdlc

Review staged changes before committing

/review-sdlc --staged

Review all local changes (staged + unstaged)

/review-sdlc --working

Review only committed changes (exclude staged)

/review-sdlc --committed

Review against a non-default base branch

/review-sdlc --base develop

Run specific dimensions only

/review-sdlc --dimensions security-review,api-review

Review full working tree including unstaged changes

/review-sdlc --worktree

Save a scope as the project default, then run

/review-sdlc --set-default --worktree

Saves worktree to .sdlc/review.json and runs the review. Subsequent /review-sdlc calls will use worktree automatically.

Preview what would be reviewed without running

/review-sdlc --dry-run

---

Configuration

The default scope can be persisted in .sdlc/review.json:

{
  "defaults": {
    "scope": "worktree"
  }
}

Scope resolution order: CLI flag → .sdlc/review.json → all (hardcoded default)

Use --set-default to create or update this file without editing it manually:

/review-sdlc --set-default --staged

Valid scope values: all, committed, staged, working, worktree.

---

Consolidated Comment Format

The command posts a single PR comment:

## Code Review — 3 dimension(s), 7 finding(s)

> Automated review by `sdlc:sdlc-reviewing-changes` · 2026-02-25

### Summary

| Dimension       | Findings | Critical | High | Medium | Low | Info |
|-----------------|----------|----------|------|--------|-----|------|
| security-review | 3        | 0        | 2    | 1      | 0   | 0    |
| code-quality    | 4        | 0        | 0    | 2      | 2   | 0    |
| **Total**       | **7**    | **0**    | **2**| **3**  | **2**| **0**|

### Verdict: APPROVED WITH NOTES

Two high-severity security findings require attention before merging.

---

### security-review — 3 finding(s)

<details>
<summary>0 critical · 2 high · 1 medium · 0 low · 0 info</summary>

#### [HIGH] Unvalidated user input passed to exec()
**File:** `src/handlers/deploy.ts:47`
User-supplied `command` parameter is passed directly to `child_process.exec()` without sanitization.
**Suggestion:** Use `execFile()` with a fixed command and pass arguments as an array.

</details>

---

Dimension Suggestions

When the review finds changed files not covered by any active dimension, it analyzes their patterns and suggests new dimensions in the review plan output:

Suggested new dimensions for uncovered files:

  ci-cd-pipeline-review — 2 CI/CD workflow files not covered
    Files: .github/workflows/ci.yml, .github/workflows/deploy.yml

  configuration-management-review — 3 configuration files not covered
    Files: src/config/db.ts, src/config/auth.ts, .env.example

Run `/setup-sdlc --dimensions --add` to create these dimensions.

Files that cannot be mapped to any known dimension type are listed separately:

2 file(s) not mappable to any known dimension type:
  src/custom-runtime.xyz
  build-tool.conf
Consider creating a custom dimension or broadening existing trigger patterns.

These suggestions are informational during a review run. To act on them, run /setup-sdlc --dimensions --add.

---

Post-Review Self-Fix

After a review completes with actionable findings (verdict CHANGES REQUESTED or APPROVED WITH NOTES), the skill prompts:

Would you like to address these findings? (fix / no)
  fix — process findings and implement fixes using received-review-sdlc
  no  — done

Choosing fix invokes /received-review-sdlc, which picks up the findings from conversation context, analyzes each finding against the full codebase context, presents a proposed action plan, and implements only after user approval. The prompt is skipped when the verdict is APPROVED (no findings to address).

---

Prerequisites

• .claude/review-dimensions/ — at least one dimension file must exist. Run /setup-sdlc --dimensions to create them.
• gh CLI — recommended for posting the PR comment. Falls back to terminal output if unavailable.

Harness Configuration

Field	Value
argument-hint	[--base <branch>] [--committed] [--staged] [--dimensions <name,...>]
Plan mode	Compatible (read-only analysis; skips PR comment posting)

---

What It Creates or Modifies

File / Artifact	Description
GitHub PR comment	Consolidated review findings posted to the current PR