name: audit-and-fix description: "Composite: security audit -> production upgrade -> self-evaluation. Use when user says 'audit', 'check the codebase', 'find and fix issues', or 'is this production-ready'." argument-hint: "[target path or scope]"
audit-and-fix
Composite skill that chains security-audit, production-upgrade, and self-eval into a single audit-then-remediate pipeline. Each step consumes the previous step's artifacts and gates the next step based on severity.
Chain Overview
security-audit -> production-upgrade -> self-eval
| | |
v v v
AUDIT-SECURITY.md UPGRADE.md EVAL-RESULT.md
Inputs
| Parameter | Values | Default | Description |
|---|---|---|---|
target | path, ., changed-files | . | What to audit |
scope | full, changed-files | full | Breadth of analysis |
Step 1: Security Audit
Invokes: /security-audit with framework=all, scope={scope}
What it does:
- 7-domain scan: OWASP Top 10, MITRE ATT&CK, NIST CSF 2.0, secret detection, supply chain, container, DevSecOps
- Every finding cites file:line evidence with severity (CRITICAL/HIGH/MEDIUM/LOW)
- Cross-maps all findings across all three frameworks
Produces: .productionos/AUDIT-SECURITY.md
Gate to Step 2:
- If CRITICAL findings > 0: ESCALATE. Do not proceed to production-upgrade. Print escalation report with CRITICAL findings and halt. The user must acknowledge CRITICAL issues before remediation begins.
- If HIGH findings > 5: Print warning, proceed with
--mode=audit(read-only upgrade analysis, no code changes). - Otherwise: Proceed normally to Step 2.
Step 2: Production Upgrade
Invokes: /production-upgrade --mode=audit
What it does:
- Reads AUDIT-SECURITY.md as input baseline
- Runs full codebase quality audit: code style, error handling, test coverage, dependency health, API design
- Identifies upgrade opportunities beyond security (performance, maintainability, correctness)
- Generates prioritized fix plan with effort estimates
Produces: .productionos/UPGRADE.md
Gate to Step 3:
- Proceeds unconditionally. Production-upgrade is advisory in audit mode.
Step 3: Self-Evaluation
Invokes: /self-eval last
What it does:
- Evaluates the combined audit + upgrade analysis against 7 quality dimensions
- Scores: quality, necessity, correctness, dependencies, completeness, learning, honesty
- Overall score >= 8.0 is PASS, 6.0-7.9 triggers self-heal loop (max 3), < 6.0 blocks
Produces: .productionos/EVAL-RESULT.md
Escalation Protocol
When security-audit finds CRITICAL severity issues:
STATUS: BLOCKED
REASON: {N} CRITICAL security findings require immediate attention
FINDINGS:
1. {finding_id}: {description} at {file}:{line} — {framework_mapping}
...
RECOMMENDATION: Fix CRITICAL issues manually, then re-run /audit-and-fix
Do NOT attempt automated fixes for CRITICAL security issues. Authentication bypasses, exposed secrets, and RCE vectors require human review.
Output Format
Final composite report written to .productionos/AUDIT-AND-FIX.md:
# Audit & Fix Report
## Summary
- **Security Posture:** X/10
- **Production Readiness:** X/10
- **Self-Eval Score:** X/10
- **Findings:** N security, M upgrade opportunities
- **Status:** PASS | BLOCKED | NEEDS_ATTENTION
## Security Findings (from Step 1)
{top 10 findings by severity, full list in AUDIT-SECURITY.md}
## Upgrade Opportunities (from Step 2)
{prioritized list with effort estimates}
## Evaluation (from Step 3)
{7-dimension score breakdown}
## Next Actions
1. {highest priority action}
2. {second priority action}
...
When to Use
- "Audit this codebase" -- runs full pipeline
- "Is this production-ready?" -- runs full pipeline
- "Find and fix security issues" -- runs full pipeline
- "Check the code quality" -- runs full pipeline
When NOT to Use
- Active debugging of a specific bug -- use
/debuginstead - Shipping a PR -- use
/ship-safeinstead - Full project lifecycle -- use
/full-cycleinstead