# Senior Developer Review - Workflow Instructions
```xml
The workflow execution engine is governed by: {project-root}/bmad/core/tasks/workflow.xml
You MUST have already loaded and processed: {installed_path}/workflow.yaml
Communicate all responses in {communication_language} and language MUST be tailored to {user_skill_level}
Generate all documents in {document_output_language}
This workflow performs a Senior Developer Review on a story with status "review", appends structured review notes, and updates the story status based on outcome.
If story_path is provided, use it. Otherwise, find the first story in sprint-status.yaml with status "review". If none found, HALT and ask for clarification.
Only modify the story file in these areas: Status, Dev Agent Record (Completion Notes), File List (if corrections needed), Change Log, and the appended "Senior Developer Review (AI)" section.
Execute ALL steps in exact order; do NOT skip steps
DOCUMENT OUTPUT: Technical review reports. Structured findings with severity levels and action items. User skill level ({user_skill_level}) affects conversation style ONLY, not review content.
Use {{story_path}} directly
Read COMPLETE story file and parse sections
Extract story_key from filename or story metadata
Verify Status is "review" - if not, HALT with message: "Story status must be 'review' to proceed"
MUST read COMPLETE sprint-status.yaml file from start to end to preserve order
Load the FULL file: {{output_folder}}/sprint-status.yaml
Read ALL lines from beginning to end - do not skip any content
Parse the development_status section completely
Find FIRST story (reading in order from top to bottom) where:
- Key matches pattern: number-number-name (e.g., "1-2-user-auth")
- NOT an epic key (epic-X) or retrospective (epic-X-retrospective)
- Status value equals "review"
HALT
Use the first story found with status "review"
Resolve story file path in {{story_dir}}
Read the COMPLETE story file
Extract {{epic_num}} and {{story_num}} from filename (e.g., story-2.3.*.md) and story metadata
Parse sections: Status, Story, Acceptance Criteria, Tasks/Subtasks (and completion states), Dev Notes, Dev Agent Record (Context Reference, Completion Notes, File List), Change Log
HALT with message: "Unable to read story file"
Locate story context file: Under Dev Agent Record → Context Reference, read referenced path(s). If missing, search {{output_folder}} for files matching pattern "story-{{epic_num}}.{{story_num}}*.context.xml" and use the most recent.
Continue but record a WARNING in review notes: "No story context file found"
Locate Epic Tech Spec: Search {{tech_spec_search_dir}} with glob {{tech_spec_glob_template}} (resolve {{epic_num}})
Continue but record a WARNING in review notes: "No Tech Spec found for epic {{epic_num}}"
Load architecture/standards docs: For each file name in {{arch_docs_file_names}} within {{arch_docs_search_dirs}}, read if exists. Collect testing, coding standards, security, and architectural patterns.
Detect primary ecosystem(s) by scanning for manifests (e.g., package.json, pyproject.toml, go.mod, Dockerfile). Record key frameworks (e.g., Node/Express, React/Vue, Python/FastAPI, etc.).
Synthesize a concise "Best-Practices and References" note capturing any updates or considerations that should influence the review (cite links and versions if available).
From the story, read Acceptance Criteria and Tasks/Subtasks with their completion state.
From Dev Agent Record → File List, compile list of changed/added files. If File List is missing or clearly incomplete, search repo for recent changes relevant to the story scope (heuristics: filenames matching components/services/routes/tests inferred from ACs/tasks).
Cross-check epic tech-spec requirements and architecture constraints against the implementation intent in files.
For each acceptance criterion, verify there is evidence of implementation and corresponding tests (unit/integration/E2E as applicable). Note any gaps explicitly.
flag as High Severity finding.
For each changed file, skim for common issues appropriate to the stack: error handling, input validation, logging, dependency injection, thread-safety/async correctness, resource cleanup, performance anti-patterns.
Perform security review: injection risks, authZ/authN handling, secret management, unsafe defaults, un-validated redirects, CORS misconfigured, dependency vulnerabilities (based on manifests).
Check tests quality: assertions are meaningful, edge cases covered, deterministic behavior, proper fixtures, no flakiness patterns.
Capture concrete, actionable suggestions with severity (High/Med/Low) and rationale. When possible, suggest specific code-level changes (filenames + line ranges) without rewriting large sections.
Determine outcome: Approve, Changes Requested, or Blocked.
Prepare a structured review report with sections: Summary, Outcome, Key Findings (by severity), Acceptance Criteria Coverage, Test Coverage and Gaps, Architectural Alignment, Security Notes, Best-Practices and References, Action Items.
For Action Items, use imperative phrasing and map each to related ACs or files. Include suggested owners if clear.
Open {{story_path}} and append a new section at the end titled exactly: "Senior Developer Review (AI)".
Insert subsections:
- Reviewer: {{user_name}}
- Date: {{date}}
- Outcome: (Approve | Changes Requested | Blocked)
- Summary
- Key Findings
- Acceptance Criteria Coverage
- Test Coverage and Gaps
- Architectural Alignment
- Security Notes
- Best-Practices and References (with links)
- Action Items
Add a Change Log entry with date, version bump if applicable, and description: "Senior Developer Review notes appended".
If {{update_status_on_result}} is true: update Status to {{status_on_approve}} when approved; to {{status_on_changes_requested}} when changes requested; otherwise leave unchanged.
Save the story file.
Determine target status based on review outcome:
- If {{outcome}} == "Approve" → target_status = "done"
- If {{outcome}} == "Changes Requested" → target_status = "in-progress"
- If {{outcome}} == "Blocked" → target_status = "review" (stay in review)
Load the FULL file: {{output_folder}}/sprint-status.yaml
Read all development_status entries to find {{story_key}}
Verify current status is "review" (expected previous state)
Update development_status[{{story_key}}] = {{target_status}}
Save file, preserving ALL comments and structure including STATUS DEFINITIONS
Normalize Action Items into a structured list: description, severity (High/Med/Low), type (Bug/TechDebt/Enhancement), suggested owner (if known), related AC/file references.
Add {{action_item_count}} follow-up items to story Tasks/Subtasks?
Append under the story's "Tasks / Subtasks" a new subsection titled "Review Follow-ups (AI)", adding each item as an unchecked checkbox in imperative form, prefixed with "[AI-Review]" and severity. Example: "- [ ] [AI-Review][High] Add input validation on server route /api/x (AC #2)".
If {{backlog_file}} does not exist, copy {installed_path}/backlog_template.md to {{backlog_file}} location.
Append a row per action item with Date={{date}}, Story={{epic_num}}.{{story_num}}, Epic={{epic_num}}, Type, Severity, Owner (or "TBD"), Status="Open", Notes with short context and file refs.
If an epic Tech Spec was found: open it and create (if missing) a section titled "{{epic_followups_section_title}}". Append a bullet list of action items scoped to this epic with references back to Story {{epic_num}}.{{story_num}}.
Save modified files.
Optionally invoke tests or linters to verify quick fixes if any were applied as part of review (requires user approval for any dependency changes).
Run validation checklist at {installed_path}/checklist.md using {project-root}/bmad/core/tasks/validate-workflow.xml
Report workflow completion.
```