All skills
Skillintermediate

Fix Planner

Read audits in `.claude/audits/`. Deduplicate and prioritize findings. Output to `.claude/audits/FIXES.md`.

Claude Code Knowledge Pack7/10/2026

Overview

Fix Planner

Read audits in .claude/audits/. Deduplicate and prioritize findings. Output to .claude/audits/FIXES.md.

Status Block (Required)

Every output MUST start with:

---
agent: fix-planner
status: COMPLETE | PARTIAL | SKIPPED | ERROR
timestamp: [ISO timestamp]
duration: [seconds]
audits_read: [count]
findings_total: [count]
findings_after_dedup: [count]
p1_count: [count]
p2_count: [count]
p3_count: [count]
errors: []
skipped_checks: []
---

Process

  1. Read all audit reports in .claude/audits/AUDIT_*.md
  2. Validate each audit has status block with findings count
  3. Deduplicate findings using the algorithm below
  4. Prioritize using P1-P4 framework
  5. Output consolidated FIXES.md

Audit Sources

Read all available audits:

ls -la .claude/audits/AUDIT_*.md 2>/dev/null
ls -la .claude/audits/API_TEST_REPORT.md 2>/dev/null

Expected sources:

  • AUDIT_SECURITY.md - From security-auditor (SINGLE authority for security)
  • AUDIT_BUGS.md - From bug-auditor (runtime bugs only)
  • AUDIT_CODE.md - From code-auditor (quality only)
  • AUDIT_DOCS.md - From doc-auditor
  • AUDIT_INFRA.md - From infra-auditor
  • AUDIT_UI_UX.md - From ui-auditor
  • AUDIT_DB.md - From db-auditor
  • AUDIT_PERF.md - From perf-auditor
  • AUDIT_DEPS.md - From dep-auditor
  • AUDIT_SEO.md - From seo-auditor
  • API_TEST_REPORT.md - From api-tester

Deduplication Algorithm

Step 1: Extract all findings From each audit file, extract:

  • Finding ID (e.g., SEC-001, CODE-003)
  • File location (path:line)
  • Issue type category
  • Severity (Critical, High, Medium, Low)
  • Description

Step 2: Identify duplicates by matching:

  1. Same file:line - Exact match on location
  2. Same issue type - e.g., both are "SQL injection"
  3. Similar code snippet - Reference same code block

Step 3: Merge duplicates:

  • Keep the most detailed description
  • Use highest severity from any source
  • Cite ALL sources: "Found by: security-auditor, api-tester"
  • Preserve unique remediation steps from each source

Step 4: Conflict resolution:

ConflictResolution
Severity differsUse highest (Critical > High > Medium > Low)
Fix differsInclude both approaches with pros/cons
ID differsCreate new consolidated ID, note originals

Example Deduplication:

BEFORE (from different audits):
- SEC-001: SQL injection at src/api/users.ts:47 (security-auditor)
- API-003: Raw query vulnerability at src/api/users.ts:47 (api-tester)
- BUG-005: Unvalidated input at src/api/users.ts:47 (bug-auditor)

AFTER (consolidated):
- FIX-001: SQL Injection in User Query
  **Location:** src/api/users.ts:47
  **Severity:** Critical (from SEC-001)
  **Found by:** security-auditor (SEC-001), api-tester (API-003)
  **Note:** BUG-005 was related but addresses different aspect

Priority Framework

P1 — Blockers (Fix before any deploy)

  • Security vulnerabilities (Critical/High from security-auditor)
  • Data loss risks
  • Auth bypasses
  • SSRF/Injection attacks
  • Production crashers

P2 — High Priority (Fix within first week)

  • High severity from any auditor
  • Major UX bugs
  • Performance problems affecting users
  • Data integrity issues

P3 — Technical Debt (Fix within first month)

  • Code quality issues
  • Documentation gaps
  • Minor UX improvements
  • Refactoring opportunities

P4 — Backlog (Nice to have)

  • Low severity findings
  • Cosmetic issues
  • Future improvements

Effort Estimation

  • XS < 30 min (single line fix, config change)
  • S 30 min - 2 hr (single file change)
  • M 2-8 hr (multiple files, needs testing)
  • L 1-3 days (significant refactor)
  • XL 3+ days (architectural change)

Output

# Consolidated Fix Plan

---
agent: fix-planner
status: [COMPLETE|PARTIAL|SKIPPED]
timestamp: [ISO timestamp]
audits_read: [X]
findings_total: [X] (before deduplication)
findings_after_dedup: [X]
p1_count: [X]
p2_count: [X]
p3_count: [X]
---

## Summary
| Priority | Count | Est. Effort |
|----------|-------|-------------|
| P1 (Critical) | X | ~Yh |
| P2 (High) | X | ~Yh |
| P3 (Medium) | X | ~Yh |
| P4 (Low) | X | — |

**Total unique findings:** X (from Y total across Z audits)
**Duplicates removed:** X

## Sources Consulted
| Audit | Status | Findings |
|-------|--------|----------|
| AUDIT_SECURITY.md | COMPLETE | X |
| AUDIT_CODE.md | COMPLETE | X |
| AUDIT_BUGS.md | PARTIAL | X |
| AUDIT_PERF.md | SKIPPED | 0 |

---

## P1 — Critical (Fix Immediately)

### [ ] FIX-001: SQL Injection in User Search
**Priority:** P1 (Critical)
**Source:** security-auditor (SEC-001)
**Effort:** S
**File:** `src/app/api/users/route.ts:47`
**Issue:** Raw user input in SQL query enables full database access
**Do:**
1. Replace raw query with parameterized query
2. Add input validation with zod schema
3. Add integration test for injection attempts
**Verify:**
```bash
# Injection attempt should return 400, not data
curl -X GET "localhost:3000/api/users?search=' OR '1'='1"

[ ] FIX-002: Hardcoded API Key

Priority: P1 (Critical) Source: security-auditor (SEC-002) Effort: XS File: src/lib/stripe.ts:5 Issue: Production Stripe key in source code Do:

  1. Move to environment variable
  2. Add to .env.example
  3. Rotate the exposed key Verify:
grep -rn "sk_live" src  # Should return 0 results

[ ] FIX-003: Missing Authentication on Admin Routes

Priority: P1 (Critical) Source: security-auditor (SEC-003), api-tester (API-S001) Effort: S File: src/app/api/admin/route.ts Issue: Admin endpoints accessible without authentication Do:

  1. Add getServerSession check
  2. Return 401 if not authenticated
  3. Add admin role check Verify: curl localhost:3000/api/admin returns 401

P2 — High (Fix This Week)

[ ] FIX-004: N+1 Query in Dashboard

Priority: P2 (High) Source: db-auditor (DB-001), perf-auditor (PERF-003) Effort: M File: src/pages/dashboard.tsx:45 Issue: Fetching user data in loop causes 100+ queries Do:

  1. Add eager loading with include
  2. Or batch fetch with Promise.all Verify: Check database logs show single query

[ ] FIX-005: Missing Error Boundaries

Priority: P2 (High) Source: bug-auditor (BUG-007) Effort: S File: src/app/layout.tsx Issue: Uncaught errors crash entire application Do:

  1. Create ErrorBoundary component
  2. Wrap page content
  3. Add error reporting Verify: Throw test error, verify app doesn't crash

P3 — Technical Debt (Fix This Month)

[ ] FIX-006: Excessive any Usage

Priority: P3 (Medium) Source: code-auditor (CODE-001) Effort: M Files: Multiple (47 occurrences) Issue: Type safety compromised Do:

  1. Replace with proper types
  2. Add strict mode to tsconfig
  3. Fix one file at a time Verify: grep -rn ": any" src | wc -l < 5

[ ] FIX-007: Missing Meta Descriptions

Priority: P3 (Medium) Source: seo-auditor (SEO-001) Effort: S Files: 15 pages Issue: Poor SEO, Google creates snippets Do:

  1. Add metadata export to each page
  2. Include description 150-160 chars Verify: Check page source for meta description

P4 — Backlog

[ ] FIX-008: TODO/FIXME Cleanup

Priority: P4 (Low) Source: code-auditor (CODE-008) Effort: M Count: 34 items Do: Triage and address or convert to issues

[ ] FIX-009: Console.log Removal

Priority: P4 (Low) Source: code-auditor (CODE-004) Effort: XS Count: 23 occurrences Do: Remove or replace with proper logger


Implementation Order

  1. FIX-001, FIX-002, FIX-003 (security first)
  2. FIX-004 (performance)
  3. FIX-005 (stability)
  4. FIX-006 onwards (parallel, by file)

Dependencies

FIX-004 (N+1) → depends on → Database connection
FIX-006 (any) → blocks → strict TypeScript
FIX-001 → must complete before → any deploy

Notes for Implementer

  • Start with P1 items marked "Effort: XS" or "S"
  • Run test suite after each fix
  • Security fixes require code review before merge
  • Update FIXES.md checkboxes as you go

## Execution Logging

After completing, append to `.claude/audits/EXECUTION_LOG.md`:

| [timestamp] | fix-planner | [status] | [duration] | [findings] | [errors] |


## Output Verification

Before completing:
1. Verify `.claude/audits/FIXES.md` was created
2. Verify deduplication was performed (compare before/after counts)
3. Verify all P1 items have clear remediation steps
4. If no audits exist, write "No audit reports found - run auditors first"

Group related fixes. Note dependencies. Focus on actionable items.