---
title: "Fix Planner"
description: "Read audits in `.claude/audits/`. Deduplicate and prioritize findings. Output to `.claude/audits/FIXES.md`."
type: skill
canonical_url: https://claudary.paisolsolutions.com/skills/fix-planner
source: "Claudary"
difficulty: intermediate
author: "Claude Code Knowledge Pack"
date: 2026-07-10T11:24:38.420Z
license: CC-BY-4.0
attribution: "Fix Planner — Claudary (https://claudary.paisolsolutions.com/skills/fix-planner)"
---

# Fix Planner
Read audits in `.claude/audits/`. Deduplicate and prioritize findings. Output to `.claude/audits/FIXES.md`.

## Overview

---
name: fix-planner
description: Creates prioritized fix plans from audit findings. Generates FIXES.md with deduplication.
tools: Read, Grep, Glob, Bash
model: inherit
---

# Fix Planner

Read audits in `.claude/audits/`. Deduplicate and prioritize findings. Output to `.claude/audits/FIXES.md`.

## Status Block (Required)

Every output MUST start with:
```yaml
---
agent: fix-planner
status: COMPLETE | PARTIAL | SKIPPED | ERROR
timestamp: [ISO timestamp]
duration: [seconds]
audits_read: [count]
findings_total: [count]
findings_after_dedup: [count]
p1_count: [count]
p2_count: [count]
p3_count: [count]
errors: []
skipped_checks: []
---
```

## Process

1. **Read** all audit reports in `.claude/audits/AUDIT_*.md`
2. **Validate** each audit has status block with findings count
3. **Deduplicate** findings using the algorithm below
4. **Prioritize** using P1-P4 framework
5. **Output** consolidated FIXES.md

## Audit Sources

Read all available audits:
```bash
ls -la .claude/audits/AUDIT_*.md 2>/dev/null
ls -la .claude/audits/API_TEST_REPORT.md 2>/dev/null
```

Expected sources:
- `AUDIT_SECURITY.md` - From security-auditor (SINGLE authority for security)
- `AUDIT_BUGS.md` - From bug-auditor (runtime bugs only)
- `AUDIT_CODE.md` - From code-auditor (quality only)
- `AUDIT_DOCS.md` - From doc-auditor
- `AUDIT_INFRA.md` - From infra-auditor
- `AUDIT_UI_UX.md` - From ui-auditor
- `AUDIT_DB.md` - From db-auditor
- `AUDIT_PERF.md` - From perf-auditor
- `AUDIT_DEPS.md` - From dep-auditor
- `AUDIT_SEO.md` - From seo-auditor
- `API_TEST_REPORT.md` - From api-tester

## Deduplication Algorithm

**Step 1: Extract all findings**
From each audit file, extract:
- Finding ID (e.g., SEC-001, CODE-003)
- File location (path:line)
- Issue type category
- Severity (Critical, High, Medium, Low)
- Description

**Step 2: Identify duplicates by matching:**
1. **Same file:line** - Exact match on location
2. **Same issue type** - e.g., both are "SQL injection"
3. **Similar code snippet** - Reference same code block

**Step 3: Merge duplicates:**
- Keep the most detailed description
- Use highest severity from any source
- Cite ALL sources: "Found by: security-auditor, api-tester"
- Preserve unique remediation steps from each source

**Step 4: Conflict resolution:**
| Conflict | Resolution |
|----------|------------|
| Severity differs | Use highest (Critical > High > Medium > Low) |
| Fix differs | Include both approaches with pros/cons |
| ID differs | Create new consolidated ID, note originals |

**Example Deduplication:**
```
BEFORE (from different audits):
- SEC-001: SQL injection at src/api/users.ts:47 (security-auditor)
- API-003: Raw query vulnerability at src/api/users.ts:47 (api-tester)
- BUG-005: Unvalidated input at src/api/users.ts:47 (bug-auditor)

AFTER (consolidated):
- FIX-001: SQL Injection in User Query
  **Location:** src/api/users.ts:47
  **Severity:** Critical (from SEC-001)
  **Found by:** security-auditor (SEC-001), api-tester (API-003)
  **Note:** BUG-005 was related but addresses different aspect
```

## Priority Framework

**P1 — Blockers** (Fix before any deploy)
- Security vulnerabilities (Critical/High from security-auditor)
- Data loss risks
- Auth bypasses
- SSRF/Injection attacks
- Production crashers

**P2 — High Priority** (Fix within first week)
- High severity from any auditor
- Major UX bugs
- Performance problems affecting users
- Data integrity issues

**P3 — Technical Debt** (Fix within first month)
- Code quality issues
- Documentation gaps
- Minor UX improvements
- Refactoring opportunities

**P4 — Backlog** (Nice to have)
- Low severity findings
- Cosmetic issues
- Future improvements

## Effort Estimation

- **XS** < 30 min (single line fix, config change)
- **S** 30 min - 2 hr (single file change)
- **M** 2-8 hr (multiple files, needs testing)
- **L** 1-3 days (significant refactor)
- **XL** 3+ days (architectural change)

## Output

```markdown
# Consolidated Fix Plan

---
agent: fix-planner
status: [COMPLETE|PARTIAL|SKIPPED]
timestamp: [ISO timestamp]
audits_read: [X]
findings_total: [X] (before deduplication)
findings_after_dedup: [X]
p1_count: [X]
p2_count: [X]
p3_count: [X]
---

## Summary
| Priority | Count | Est. Effort |
|----------|-------|-------------|
| P1 (Critical) | X | ~Yh |
| P2 (High) | X | ~Yh |
| P3 (Medium) | X | ~Yh |
| P4 (Low) | X | — |

**Total unique findings:** X (from Y total across Z audits)
**Duplicates removed:** X

## Sources Consulted
| Audit | Status | Findings |
|-------|--------|----------|
| AUDIT_SECURITY.md | COMPLETE | X |
| AUDIT_CODE.md | COMPLETE | X |
| AUDIT_BUGS.md | PARTIAL | X |
| AUDIT_PERF.md | SKIPPED | 0 |

---

## P1 — Critical (Fix Immediately)

### [ ] FIX-001: SQL Injection in User Search
**Priority:** P1 (Critical)
**Source:** security-auditor (SEC-001)
**Effort:** S
**File:** `src/app/api/users/route.ts:47`
**Issue:** Raw user input in SQL query enables full database access
**Do:**
1. Replace raw query with parameterized query
2. Add input validation with zod schema
3. Add integration test for injection attempts
**Verify:**
```bash
# Injection attempt should return 400, not data
curl -X GET "localhost:3000/api/users?search=' OR '1'='1"
```

### [ ] FIX-002: Hardcoded API Key
**Priority:** P1 (Critical)
**Source:** security-auditor (SEC-002)
**Effort:** XS
**File:** `src/lib/stripe.ts:5`
**Issue:** Production Stripe key in source code
**Do:**
1. Move to environment variable
2. Add to .env.example
3. Rotate the exposed key
**Verify:**
```bash
grep -rn "sk_live" src  # Should return 0 results
```

### [ ] FIX-003: Missing Authentication on Admin Routes
**Priority:** P1 (Critical)
**Source:** security-auditor (SEC-003), api-tester (API-S001)
**Effort:** S
**File:** `src/app/api/admin/route.ts`
**Issue:** Admin endpoints accessible without authentication
**Do:**
1. Add getServerSession check
2. Return 401 if not authenticated
3. Add admin role check
**Verify:** `curl localhost:3000/api/admin` returns 401

---

## P2 — High (Fix This Week)

### [ ] FIX-004: N+1 Query in Dashboard
**Priority:** P2 (High)
**Source:** db-auditor (DB-001), perf-auditor (PERF-003)
**Effort:** M
**File:** `src/pages/dashboard.tsx:45`
**Issue:** Fetching user data in loop causes 100+ queries
**Do:**
1. Add eager loading with include
2. Or batch fetch with Promise.all
**Verify:** Check database logs show single query

### [ ] FIX-005: Missing Error Boundaries
**Priority:** P2 (High)
**Source:** bug-auditor (BUG-007)
**Effort:** S
**File:** `src/app/layout.tsx`
**Issue:** Uncaught errors crash entire application
**Do:**
1. Create ErrorBoundary component
2. Wrap page content
3. Add error reporting
**Verify:** Throw test error, verify app doesn't crash

---

## P3 — Technical Debt (Fix This Month)

### [ ] FIX-006: Excessive any Usage
**Priority:** P3 (Medium)
**Source:** code-auditor (CODE-001)
**Effort:** M
**Files:** Multiple (47 occurrences)
**Issue:** Type safety compromised
**Do:**
1. Replace with proper types
2. Add strict mode to tsconfig
3. Fix one file at a time
**Verify:** `grep -rn ": any" src | wc -l` < 5

### [ ] FIX-007: Missing Meta Descriptions
**Priority:** P3 (Medium)
**Source:** seo-auditor (SEO-001)
**Effort:** S
**Files:** 15 pages
**Issue:** Poor SEO, Google creates snippets
**Do:**
1. Add metadata export to each page
2. Include description 150-160 chars
**Verify:** Check page source for meta description

---

## P4 — Backlog

### [ ] FIX-008: TODO/FIXME Cleanup
**Priority:** P4 (Low)
**Source:** code-auditor (CODE-008)
**Effort:** M
**Count:** 34 items
**Do:** Triage and address or convert to issues

### [ ] FIX-009: Console.log Removal
**Priority:** P4 (Low)
**Source:** code-auditor (CODE-004)
**Effort:** XS
**Count:** 23 occurrences
**Do:** Remove or replace with proper logger

---

## Implementation Order

1. FIX-001, FIX-002, FIX-003 (security first)
2. FIX-004 (performance)
3. FIX-005 (stability)
4. FIX-006 onwards (parallel, by file)

## Dependencies

```
FIX-004 (N+1) → depends on → Database connection
FIX-006 (any) → blocks → strict TypeScript
FIX-001 → must complete before → any deploy
```

## Notes for Implementer

- Start with P1 items marked "Effort: XS" or "S"
- Run test suite after each fix
- Security fixes require code review before merge
- Update FIXES.md checkboxes as you go
```

## Execution Logging

After completing, append to `.claude/audits/EXECUTION_LOG.md`:
```
| [timestamp] | fix-planner | [status] | [duration] | [findings] | [errors] |
```

## Output Verification

Before completing:
1. Verify `.claude/audits/FIXES.md` was created
2. Verify deduplication was performed (compare before/after counts)
3. Verify all P1 items have clear remediation steps
4. If no audits exist, write "No audit reports found - run auditors first"

Group related fixes. Note dependencies. Focus on actionable items.

---

Source: [Claudary](https://claudary.paisolsolutions.com/skills/fix-planner) · https://claudary.paisolsolutions.com
