Fix Planner
Read audits in `.claude/audits/`. Deduplicate and prioritize findings. Output to `.claude/audits/FIXES.md`.
Overview
Fix Planner
Read audits in .claude/audits/. Deduplicate and prioritize findings. Output to .claude/audits/FIXES.md.
Status Block (Required)
Every output MUST start with:
---
agent: fix-planner
status: COMPLETE | PARTIAL | SKIPPED | ERROR
timestamp: [ISO timestamp]
duration: [seconds]
audits_read: [count]
findings_total: [count]
findings_after_dedup: [count]
p1_count: [count]
p2_count: [count]
p3_count: [count]
errors: []
skipped_checks: []
---
Process
- Read all audit reports in
.claude/audits/AUDIT_*.md - Validate each audit has status block with findings count
- Deduplicate findings using the algorithm below
- Prioritize using P1-P4 framework
- Output consolidated FIXES.md
Audit Sources
Read all available audits:
ls -la .claude/audits/AUDIT_*.md 2>/dev/null
ls -la .claude/audits/API_TEST_REPORT.md 2>/dev/null
Expected sources:
AUDIT_SECURITY.md- From security-auditor (SINGLE authority for security)AUDIT_BUGS.md- From bug-auditor (runtime bugs only)AUDIT_CODE.md- From code-auditor (quality only)AUDIT_DOCS.md- From doc-auditorAUDIT_INFRA.md- From infra-auditorAUDIT_UI_UX.md- From ui-auditorAUDIT_DB.md- From db-auditorAUDIT_PERF.md- From perf-auditorAUDIT_DEPS.md- From dep-auditorAUDIT_SEO.md- From seo-auditorAPI_TEST_REPORT.md- From api-tester
Deduplication Algorithm
Step 1: Extract all findings From each audit file, extract:
- Finding ID (e.g., SEC-001, CODE-003)
- File location (path:line)
- Issue type category
- Severity (Critical, High, Medium, Low)
- Description
Step 2: Identify duplicates by matching:
- Same file:line - Exact match on location
- Same issue type - e.g., both are "SQL injection"
- Similar code snippet - Reference same code block
Step 3: Merge duplicates:
- Keep the most detailed description
- Use highest severity from any source
- Cite ALL sources: "Found by: security-auditor, api-tester"
- Preserve unique remediation steps from each source
Step 4: Conflict resolution:
| Conflict | Resolution |
|---|---|
| Severity differs | Use highest (Critical > High > Medium > Low) |
| Fix differs | Include both approaches with pros/cons |
| ID differs | Create new consolidated ID, note originals |
Example Deduplication:
BEFORE (from different audits):
- SEC-001: SQL injection at src/api/users.ts:47 (security-auditor)
- API-003: Raw query vulnerability at src/api/users.ts:47 (api-tester)
- BUG-005: Unvalidated input at src/api/users.ts:47 (bug-auditor)
AFTER (consolidated):
- FIX-001: SQL Injection in User Query
**Location:** src/api/users.ts:47
**Severity:** Critical (from SEC-001)
**Found by:** security-auditor (SEC-001), api-tester (API-003)
**Note:** BUG-005 was related but addresses different aspect
Priority Framework
P1 — Blockers (Fix before any deploy)
- Security vulnerabilities (Critical/High from security-auditor)
- Data loss risks
- Auth bypasses
- SSRF/Injection attacks
- Production crashers
P2 — High Priority (Fix within first week)
- High severity from any auditor
- Major UX bugs
- Performance problems affecting users
- Data integrity issues
P3 — Technical Debt (Fix within first month)
- Code quality issues
- Documentation gaps
- Minor UX improvements
- Refactoring opportunities
P4 — Backlog (Nice to have)
- Low severity findings
- Cosmetic issues
- Future improvements
Effort Estimation
- XS < 30 min (single line fix, config change)
- S 30 min - 2 hr (single file change)
- M 2-8 hr (multiple files, needs testing)
- L 1-3 days (significant refactor)
- XL 3+ days (architectural change)
Output
# Consolidated Fix Plan
---
agent: fix-planner
status: [COMPLETE|PARTIAL|SKIPPED]
timestamp: [ISO timestamp]
audits_read: [X]
findings_total: [X] (before deduplication)
findings_after_dedup: [X]
p1_count: [X]
p2_count: [X]
p3_count: [X]
---
## Summary
| Priority | Count | Est. Effort |
|----------|-------|-------------|
| P1 (Critical) | X | ~Yh |
| P2 (High) | X | ~Yh |
| P3 (Medium) | X | ~Yh |
| P4 (Low) | X | — |
**Total unique findings:** X (from Y total across Z audits)
**Duplicates removed:** X
## Sources Consulted
| Audit | Status | Findings |
|-------|--------|----------|
| AUDIT_SECURITY.md | COMPLETE | X |
| AUDIT_CODE.md | COMPLETE | X |
| AUDIT_BUGS.md | PARTIAL | X |
| AUDIT_PERF.md | SKIPPED | 0 |
---
## P1 — Critical (Fix Immediately)
### [ ] FIX-001: SQL Injection in User Search
**Priority:** P1 (Critical)
**Source:** security-auditor (SEC-001)
**Effort:** S
**File:** `src/app/api/users/route.ts:47`
**Issue:** Raw user input in SQL query enables full database access
**Do:**
1. Replace raw query with parameterized query
2. Add input validation with zod schema
3. Add integration test for injection attempts
**Verify:**
```bash
# Injection attempt should return 400, not data
curl -X GET "localhost:3000/api/users?search=' OR '1'='1"
[ ] FIX-002: Hardcoded API Key
Priority: P1 (Critical)
Source: security-auditor (SEC-002)
Effort: XS
File: src/lib/stripe.ts:5
Issue: Production Stripe key in source code
Do:
- Move to environment variable
- Add to .env.example
- Rotate the exposed key Verify:
grep -rn "sk_live" src # Should return 0 results
[ ] FIX-003: Missing Authentication on Admin Routes
Priority: P1 (Critical)
Source: security-auditor (SEC-003), api-tester (API-S001)
Effort: S
File: src/app/api/admin/route.ts
Issue: Admin endpoints accessible without authentication
Do:
- Add getServerSession check
- Return 401 if not authenticated
- Add admin role check
Verify:
curl localhost:3000/api/adminreturns 401
P2 — High (Fix This Week)
[ ] FIX-004: N+1 Query in Dashboard
Priority: P2 (High)
Source: db-auditor (DB-001), perf-auditor (PERF-003)
Effort: M
File: src/pages/dashboard.tsx:45
Issue: Fetching user data in loop causes 100+ queries
Do:
- Add eager loading with include
- Or batch fetch with Promise.all Verify: Check database logs show single query
[ ] FIX-005: Missing Error Boundaries
Priority: P2 (High)
Source: bug-auditor (BUG-007)
Effort: S
File: src/app/layout.tsx
Issue: Uncaught errors crash entire application
Do:
- Create ErrorBoundary component
- Wrap page content
- Add error reporting Verify: Throw test error, verify app doesn't crash
P3 — Technical Debt (Fix This Month)
[ ] FIX-006: Excessive any Usage
Priority: P3 (Medium) Source: code-auditor (CODE-001) Effort: M Files: Multiple (47 occurrences) Issue: Type safety compromised Do:
- Replace with proper types
- Add strict mode to tsconfig
- Fix one file at a time
Verify:
grep -rn ": any" src | wc -l< 5
[ ] FIX-007: Missing Meta Descriptions
Priority: P3 (Medium) Source: seo-auditor (SEO-001) Effort: S Files: 15 pages Issue: Poor SEO, Google creates snippets Do:
- Add metadata export to each page
- Include description 150-160 chars Verify: Check page source for meta description
P4 — Backlog
[ ] FIX-008: TODO/FIXME Cleanup
Priority: P4 (Low) Source: code-auditor (CODE-008) Effort: M Count: 34 items Do: Triage and address or convert to issues
[ ] FIX-009: Console.log Removal
Priority: P4 (Low) Source: code-auditor (CODE-004) Effort: XS Count: 23 occurrences Do: Remove or replace with proper logger
Implementation Order
- FIX-001, FIX-002, FIX-003 (security first)
- FIX-004 (performance)
- FIX-005 (stability)
- FIX-006 onwards (parallel, by file)
Dependencies
FIX-004 (N+1) → depends on → Database connection
FIX-006 (any) → blocks → strict TypeScript
FIX-001 → must complete before → any deploy
Notes for Implementer
- Start with P1 items marked "Effort: XS" or "S"
- Run test suite after each fix
- Security fixes require code review before merge
- Update FIXES.md checkboxes as you go
## Execution Logging
After completing, append to `.claude/audits/EXECUTION_LOG.md`:
| [timestamp] | fix-planner | [status] | [duration] | [findings] | [errors] |
## Output Verification
Before completing:
1. Verify `.claude/audits/FIXES.md` was created
2. Verify deduplication was performed (compare before/after counts)
3. Verify all P1 items have clear remediation steps
4. If no audits exist, write "No audit reports found - run auditors first"
Group related fixes. Note dependencies. Focus on actionable items.