review-workflow-management

Review Dapr Workflow — Management Endpoints

Overview

Reviews the HTTP/gRPC management surface a Dapr Workflow app exposes (start, get-status, terminate, pause, resume, raise-event, purge). Checks for missing endpoints, divergent response shapes, missing auth, hard-coded ids, blocking await patterns, and unscoped error handling. Read-only: this skill never modifies source files. Workflow body code and activity bodies are out of scope and are covered by review-workflow-determinism and review-workflow-activity.

Execution Order

You MUST follow these phases in strict order. Do not load files outside the agreed scope, and do not write or edit any files.

1. Resolve scope — Read ../shared/review-scope-prompt.md and follow it to set scope_root.
2. Detect target — Read ../shared/review-detect-target.md and follow it to produce language, management_files, and workflow_files. If management_files is empty, emit a single critical finding (DWF-MGT-001 — no management endpoints found) and stop.
3. Load checklist — Based on language, read exactly one of:
   • dotnet or aspire → ../shared/review-management-dotnet.md
   • python → ../shared/review-management-python.md
4. Required-coverage pass — Determine which of the canonical endpoints are present by grepping management_files for the SDK calls listed in the checklist's "Required endpoint coverage" table. Emit a finding for each missing endpoint using the rule id from that table. If workflow_files references WaitForExternalEventAsync / wait_for_external_event, also enforce the raise-event endpoint (DWF-MGT-006).
5. Per-endpoint pass — For every endpoint that is present, walk the per-rule heuristics (DWF-MGT-007 and onward) and emit findings for each match.
6. Report — Format every finding using the canonical template from ../shared/review-report-format.md. Group by severity, then rule id, then file path.
7. Show final message — Your last output is the report. Do not append a summary, follow-up question, or next-action prompt other than the ## Next steps block defined by the report format.

Prerequisites

• Read access to the project directory.
• No build, compile, or run step is required — this skill is fully static.

Allowed tools

Read, Grep, Glob only. The skill MUST NOT call Bash, Write, or Edit.

Rules

The full rule list, including detection patterns, severities, and suggested fixes, lives in the loaded language checklist:

• .NET / Aspire rules — DWF-MGT-001 … DWF-MGT-015
• Python rules — DWF-MGT-001 … DWF-MGT-015

Rule ids are stable across releases. New rules append; deprecated rule ids are reserved.

Show final message

The last thing you emit MUST be the report from step 6, including the ## Next steps section. The ## Next steps block should suggest:

• Run review-workflow-determinism next if it has not yet been run on this scope.
• Run review-workflow-activity next if any activity files exist.
• Re-run this skill after fixes if any critical findings were reported.

Do not add any text after the report.