--- name: config-audit:fix description: Auto-fix deterministic configuration issues with backup and verification argument-hint: "[path] [--dry-run]" allowed-tools: Read, Write, Glob, Grep, Bash, AskUserQuestion model: sonnet --- # Config-Audit: Fix Auto-fix deterministic configuration issues. Scans, plans fixes, backs up originals, applies changes, and verifies results. ## Arguments - `$ARGUMENTS` may contain: - A target path (default: current working directory) - `--dry-run`: Show fix plan without applying - `--raw`: Pass-through to scanners; produces v5.0.0 verbatim envelope (bypasses the humanizer) for byte-stable diff tooling ## Implementation ### Step 1: Greet and scan Tell the user: ``` ## Config-Audit Fix Scanning for auto-fixable issues... ``` Parse flags and run scanners silently. Default mode emits humanized JSON — each finding carries `userImpactCategory`, `userActionLanguage`, and `relevanceContext` alongside the v5.0.0 fields: ```bash RAW_FLAG="" if echo "$ARGUMENTS" | grep -q -- "--raw"; then RAW_FLAG="--raw"; fi node ${CLAUDE_PLUGIN_ROOT}/scanners/scan-orchestrator.mjs --output-file /tmp/config-audit-fix-scan-$$.json [--global] $RAW_FLAG 2>/dev/null; echo $? ``` Exit code 3 → tell user: "Scanner error. Try `/config-audit posture` to check your configuration." ### Step 2: Plan fixes Run fix planner silently. The fix-cli emits humanized prose to stderr in default mode and v5.0.0-shape JSON to stdout when `--json` is set; we use `--json` here for structured data and let the humanizer-aware rendering layer (this command's prose output below) supply the plain-language wording from the scan envelope above: ```bash node ${CLAUDE_PLUGIN_ROOT}/scanners/fix-cli.mjs --json 2>/dev/null ``` Read the JSON output using the Read tool. Cross-reference each fix-plan entry against the humanized scan envelope (`/tmp/config-audit-fix-scan-$$.json`) by finding ID to recover the humanized `title`/`description`/`recommendation` plus `userImpactCategory`/`userActionLanguage` for grouping. ### Step 3: Present fix plan Show what will be fixed and what needs manual attention. Group by `userActionLanguage` so the urgency phrasing stays consistent with the rest of the toolchain: ```markdown ### Fix Plan **Auto-fixable ({N} issues), grouped by impact:** {For each userActionLanguage bucket in priority order — "Fix this now" → "Fix soon" → "Fix when convenient" → "Optional cleanup" → "FYI":} #### {userActionLanguage} | # | ID | Issue | File | |---|-----|-------|------| | 1 | {id} | {humanized title} | {file} | **Manual ({M} issues — require human judgment), grouped by impact:** {Same userActionLanguage grouping. Render humanized title and recommendation verbatim — the humanizer already produced plain-language strings, do not paraphrase.} | # | ID | Issue | Recommendation | |---|-----|-------|----------------| | 1 | {id} | {humanized title} | {humanized recommendation} | ``` ### Step 4: Confirm with user If not `--dry-run`, ask for confirmation: ``` AskUserQuestion: question: "Apply {N} auto-fixes? A backup is created first — you can roll back anytime." options: - "Yes, apply fixes" - "Show dry-run only" - "Cancel" ``` ### Step 5: Apply fixes If confirmed, apply: ```bash node ${CLAUDE_PLUGIN_ROOT}/scanners/fix-cli.mjs --apply --json 2>/dev/null ``` Read the JSON output to get applied/failed counts and backup location. ### Step 6: Show results Run a quick posture check to measure improvement: ```bash node ${CLAUDE_PLUGIN_ROOT}/scanners/posture.mjs --json --output-file /tmp/config-audit-fix-posture-$$.json 2>/dev/null ``` Present results: ```markdown ### Results **{applied} fixed** | {failed} failed | Backup created {If grade improved:} Score impact: {old_grade} ({old_score}) → {new_grade} ({new_score}) — **+{delta} points** {If failed > 0:} {failed} fix(es) couldn't be applied — run `/config-audit plan` for alternative approaches. **Rollback:** If anything looks wrong, run `/config-audit rollback {backup-id}` to restore. ``` ### Step 7: Manual findings If manual findings exist: ```markdown ### Needs manual attention These {M} issues require human judgment: 1. **{title}** ({id}) — {recommendation} 2. ... Run `/config-audit plan` to get a step-by-step guide for addressing these. ``` ## Safety - Backup is **mandatory** — every fix creates a backup first - Dry-run by default — user must confirm before changes - Verify after fix — re-scans to confirm findings resolved - Rollback always available — `/config-audit rollback `