fix-planner

# Fix Planner

Read audits in `.claude/audits/`. Deduplicate and prioritize findings. Output to `.claude/audits/FIXES.md`.

## Status Block (Required)

Every output MUST start with:
```yaml
---
agent: fix-planner
status: COMPLETE | PARTIAL | SKIPPED | ERROR
timestamp: [ISO timestamp]
duration: [seconds]
audits_read: [count]
findings_total: [count]
findings_after_dedup: [count]
p1_count: [count]
p2_count: [count]
p3_count: [count]
errors: []
skipped_checks: []
---
```

## Process

1. **Read** all audit reports in `.claude/audits/AUDIT_*.md`
2. **Validate** each audit has status block with findings count
3. **Deduplicate** findings using the algorithm below
4. **Prioritize** using P1-P4 framework
5. **Output** consolidated FIXES.md

## Audit Sources

Read all available audits:
```bash
ls -la .claude/audits/AUDIT_*.md 2>/dev/null
ls -la .claude/audits/API_TEST_REPORT.md 2>/dev/null
```

Expected sources:
- `AUDIT_SECURITY.md` - From security-auditor (SINGLE authority for security)
- `AUDIT_BUGS.md` - From bug-auditor (runtime bugs only)
- `AUDIT_CODE.md` - From code-auditor (quality only)
- `AUDIT_DOCS.md` - From doc-auditor
- `AUDIT_INFRA.md` - From infra-auditor
- `AUDIT_UI_UX.md` - From ui-auditor
- `AUDIT_DB.md` - From db-auditor
- `AUDIT_PERF.md` - From perf-auditor
- `AUDIT_DEPS.md` - From dep-auditor
- `AUDIT_SEO.md` - From seo-auditor
- `API_TEST_REPORT.md` - From api-tester

## Deduplication Algorithm

**Step 1: Extract all findings**
From each audit file, extract:
- Finding ID (e.g., SEC-001, CODE-003)
- File location (path:line)
- Issue type category
- Severity (Critical, High, Medium, Low)
- Description

**Step 2: Identify duplicates by matching:**
1. **Same file:line** - Exact match on location
2. **Same issue type** - e.g., both are "SQL injection"
3. **Similar code snippet** - Reference same code block

**Step 3: Merge duplicates:**
- Keep the most detailed description
- Use highest severity from any source
- Cite ALL sources: "Found by: security-auditor, api-tester"
- Preserve unique remediation steps from each source

**Step 4: Conflict resolution:**
| Conflict | Resolution |
|----------|------------|
| Severity differs | Use highest (Critical > High > Medium > Low) |
| Fix differs | Include both approaches with pros/cons |
| ID differs | Create new consolidated ID, note originals |

**Example Deduplication:**
```
BEFORE (from different audits):
- SEC-001: SQL injection at src/api/users.ts:47 (security-auditor)
- API-003: Raw query vulnerability at src/api/users.ts:47 (api-tester)
- BUG-005: Unvalidated input at src/api/users.ts:47 (bug-auditor)

AFTER (consolidated):
- FIX-001: SQL Injection in User Query
  **Location:** src/api/users.ts:47
  **Severity:** Critical (from SEC-001)
  **Found by:** security-auditor (SEC-001), api-tester (API-003)
  **Note:** BUG-005 was related but addresses different aspect
```

## Priority Framework

**P1 — Blockers** (Fix before any deploy)
- Security vulnerabilities (Critical/High from security-auditor)
- Data loss risks
- Auth bypasses
- SSRF/Injection attacks
- Production crashers

**P2 — High Priority** (Fix within first week)
- High severity from any auditor
- Major UX bugs
- Performance problems affecting users
- Data integrity issues

**P3 — Technical Debt** (Fix within first month)
- Code quality issues
- Documentation gaps
- Minor UX improvements
- Refactoring opportunities

**P4 — Backlog** (Nice to have)
- Low severity findings
- Cosmetic issues
- Future improvements

## Effort Estimation

- **XS** < 30 min (single line fix, config change)
- **S** 30 min - 2 hr (single file change)
- **M** 2-8 hr (multiple files, needs testing)
- **L** 1-3 days (significant refactor)
- **XL** 3+ days (architectural change)

## Output

```markdown
# Consolidated Fix Plan

---
agent: fix-planner
status: [COMPLETE|PARTIAL|SKIPPED]
timestamp: [ISO timestamp]
audits_read: [X]
findings_total: [X] (before deduplication)
findings_after_dedup: [X]
p1_count: [X]
p2_count: [X]
p3_count: [X]
---

## Summary
| Priority | Count | Est. Effort |
|----------|-------|-------------|
| P1 (Critical) | X | ~Yh |
| P2 (High) | X | ~Yh |
| P3 (Medium) | X | ~Yh |
| P4 (Low) | X | — |

**Total unique findings:** X (from Y total across Z audits)
**Duplicates removed:** X

## Sources Consulted
| Audit | Status | Findings |
|-------|--------|----------|
| AUDIT_SECURITY.md | COMPLETE | X |
| AUDIT_CODE.md | COMPLETE | X |
| AUDIT_BUGS.md | PARTIAL | X |
| AUDIT_PERF.md | SKIPPED | 0 |

---

## P1 — Critical (Fix Immediately)

### [ ] FIX-001: SQL Injection in User Search
**Priority:** P1 (Critical)
**Source:** security-auditor (SEC-001)
**Effort:** S
**File:** `src/app/api/users/route.ts:47`
**Issue:** Raw user input in SQL query enables full database access
**Do:**
1. Replace raw query with parameterized query
2. Add input validation with zod schema
3. Add integration test for injection attempts
**Verify:**
```bash
# Injection attempt should return 400, not data
curl -X GET "localhost:3000/api/users?search=' OR '1'='1"
```

### [ ] FIX-002: Hardcoded API Key
**Priority:** P1 (Critical)
**Source:** security-auditor (SEC-002)
**Effort:** XS
**File:** `src/lib/stripe.ts:5`
**Issue:** Production Stripe key in source code
**Do:**
1. Move to environment variable
2. Add to .env.example
3. Rotate the exposed key
**Verify:**
```bash
grep -rn "sk_live" src  # Should return 0 results
```

### [ ] FIX-003: Missing Authentication on Admin Routes
**Priority:** P1 (Critical)
**Source:** security-auditor (SEC-003), api-tester (API-S001)
**Effort:** S
**File:** `src/app/api/admin/route.ts`
**Issue:** Admin endpoints accessible without authentication
**Do:**
1. Add getServerSession check
2. Return 401 if not authenticated
3. Add admin role check
**Verify:** `curl localhost:3000/api/admin` returns 401

---

## P2 — High (Fix This Week)

### [ ] FIX-004: N+1 Query in Dashboard
**Priority:** P2 (High)
**Source:** db-auditor (DB-001), perf-auditor (PERF-003)
**Effort:** M
**File:** `src/page