feat(cso): add --fix flag with 9 provably safe auto-fixes#1053
Open
andreycpu wants to merge 1 commit intogarrytan:mainfrom
Open
feat(cso): add --fix flag with 9 provably safe auto-fixes#1053andreycpu wants to merge 1 commit intogarrytan:mainfrom
andreycpu wants to merge 1 commit intogarrytan:mainfrom
Conversation
Adds /cso --fix which runs the full audit then applies a curated set of fixes where the correct change is deterministic and the risk of breakage is near-zero. Fix catalog: - FIX-01: .gitignore secret hardening (.env, *.pem, *.key, etc.) - FIX-02: Create .gitleaks.toml baseline if absent - FIX-03: npm audit fix (non-breaking patches only, no --force) - FIX-04: rejectUnauthorized: false → true (Node.js TLS bypass) - FIX-05: verify=False → True (Python requests TLS bypass) - FIX-06: InsecureSkipVerify: true → false (Go TLS bypass) - FIX-07: httpOnly: false → true on session cookies - FIX-08: secure: false → true on session cookies - FIX-09: DEBUG=true → false in production env files Each fix includes an explicit "Safe because" rationale. --fix is combinable with any existing scope flag (--code, --infra, --diff, etc.) and runs as Phase 15 after the report is complete. No changes to existing audit phases.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this does
Adds
/cso --fix— runs the full audit, then applies a curated set of fixes where the correct change is deterministic and the risk of breakage is near-zero. Zero changes to existing audit phases.Directly follows Garry's feedback on the fortress PR: start with provably safe patterns, quality over quantity, each fix verified.
Fix catalog (9 patterns)
.gitignoresecret hardening.gitleaks.tomlbaselinenpm audit fix(no--force)rejectUnauthorized: false→trueverify=False→True(Python requests)InsecureSkipVerify: true→false(Go)httpOnly: false→trueon cookiessecure: false→trueon cookiesDEBUG=true→falsein production env filesEvery fix includes an explicit "Safe because" rationale in the skill. The agent skips any fix it can't apply with certainty and reports why in the summary table.
Usage
--fixis combinable with any existing scope flag.Changes
cso/SKILL.md.tmpl— added--fixto Arguments, rule 7 to Mode Resolution, Phase 15 (Auto-Fix Engine),Editto allowed-toolscso/SKILL.md— regenerated from templateNo changes to Phases 0-14 or any other skill.