audit-and-fix

audit-and-fix

Composite skill that chains security-audit, production-upgrade, and self-eval into a single audit-then-remediate pipeline. Each step consumes the previous step's artifacts and gates the next step based on severity.

Chain Overview

security-audit -> production-upgrade -> self-eval
     |                   |                  |
     v                   v                  v
  AUDIT-SECURITY.md   UPGRADE.md      EVAL-RESULT.md

Inputs

Parameter	Values	Default	Description
target	path, ., changed-files	.	What to audit
scope	full, changed-files	full	Breadth of analysis

---

Step 1: Security Audit

Invokes: /security-audit with framework=all, scope={scope}

What it does:

• 7-domain scan: OWASP Top 10, MITRE ATT&CK, NIST CSF 2.0, secret detection, supply chain, container, DevSecOps
• Every finding cites file:line evidence with severity (CRITICAL/HIGH/MEDIUM/LOW)
• Cross-maps all findings across all three frameworks

Produces: .productionos/AUDIT-SECURITY.md

Gate to Step 2:

• If CRITICAL findings > 0: ESCALATE. Do not proceed to production-upgrade. Print escalation report with CRITICAL findings and halt. The user must acknowledge CRITICAL issues before remediation begins.
• If HIGH findings > 5: Print warning, proceed with --mode=audit (read-only upgrade analysis, no code changes).
• Otherwise: Proceed normally to Step 2.

---

Step 2: Production Upgrade

Invokes: /production-upgrade --mode=audit

What it does:

• Reads AUDIT-SECURITY.md as input baseline
• Runs full codebase quality audit: code style, error handling, test coverage, dependency health, API design
• Identifies upgrade opportunities beyond security (performance, maintainability, correctness)
• Generates prioritized fix plan with effort estimates

Produces: .productionos/UPGRADE.md

Gate to Step 3:

• Proceeds unconditionally. Production-upgrade is advisory in audit mode.

---

Step 3: Self-Evaluation

Invokes: /self-eval last

What it does:

• Evaluates the combined audit + upgrade analysis against 7 quality dimensions
• Scores: quality, necessity, correctness, dependencies, completeness, learning, honesty
• Overall score >= 8.0 is PASS, 6.0-7.9 triggers self-heal loop (max 3), < 6.0 blocks

Produces: .productionos/EVAL-RESULT.md

---

Escalation Protocol

When security-audit finds CRITICAL severity issues:

STATUS: BLOCKED
REASON: {N} CRITICAL security findings require immediate attention
FINDINGS:
  1. {finding_id}: {description} at {file}:{line} — {framework_mapping}
  ...
RECOMMENDATION: Fix CRITICAL issues manually, then re-run /audit-and-fix

Do NOT attempt automated fixes for CRITICAL security issues. Authentication bypasses, exposed secrets, and RCE vectors require human review.

---

Output Format

Final composite report written to .productionos/AUDIT-AND-FIX.md:

# Audit & Fix Report

## Summary
- **Security Posture:** X/10
- **Production Readiness:** X/10
- **Self-Eval Score:** X/10
- **Findings:** N security, M upgrade opportunities
- **Status:** PASS | BLOCKED | NEEDS_ATTENTION

## Security Findings (from Step 1)
{top 10 findings by severity, full list in AUDIT-SECURITY.md}

## Upgrade Opportunities (from Step 2)
{prioritized list with effort estimates}

## Evaluation (from Step 3)
{7-dimension score breakdown}

## Next Actions
1. {highest priority action}
2. {second priority action}
...

---

When to Use

• "Audit this codebase" -- runs full pipeline
• "Is this production-ready?" -- runs full pipeline
• "Find and fix security issues" -- runs full pipeline
• "Check the code quality" -- runs full pipeline

When NOT to Use

• Active debugging of a specific bug -- use /debug instead
• Shipping a PR -- use /ship-safe instead
• Full project lifecycle -- use /full-cycle instead