AI Fix Prompts for Fish Skills

Fix a hardcoded credential in repository 'skinnyandbald__fish-skills'.

**Issue**: Hard-coded sast found ([sast:aljefra/path-traversal-join] Path Traversal via Path Join with Input)
**File**: hooks/session-start-hook.ts
**Line**: 36
**Severity**: HIGH

**Current code around the issue:**
```
      31 |       return aMaj - bMaj || aMin - bMin || aPat - bPat;
      32 |     });
      33 |   if (versions.length === 0) return;
      34 | 
      35 |   const latestVersion = versions[versions.length - 1];
>>>   36 |   const targetFile = path.join(pluginBase, latestVersion, 'skills', 'requesting-code-review', 'code-reviewer.md');
      37 | 
      38 |   if (!fs.existsSync(targetFile)) return;
      39 | 
      40 |   const current = fs.readFileSync(targetFile, 'utf-8');
      41 | 
```

**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated

**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment

Fix a hardcoded credential in repository 'skinnyandbald__fish-skills'.

**Issue**: Hard-coded sast found ([sast:aljefra/taint-path-traversal] Path Traversal via Tainted Data)
**File**: hooks/session-start-hook.ts
**Line**: 40
**Severity**: HIGH

**Current code around the issue:**
```
      35 |   const latestVersion = versions[versions.length - 1];
      36 |   const targetFile = path.join(pluginBase, latestVersion, 'skills', 'requesting-code-review', 'code-reviewer.md');
      37 | 
      38 |   if (!fs.existsSync(targetFile)) return;
      39 | 
>>>   40 |   const current = fs.readFileSync(targetFile, 'utf-8');
      41 | 
      42 |   // Idempotent: skip if already patched this version
      43 |   if (current.includes(PATCH_MARKER)) return;
      44 | 
      45 |   const step0Content = fs.readFileSync(STEP0_FILE, 'utf-8');
```

**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated

**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment

Fix a hardcoded credential in repository 'skinnyandbald__fish-skills'.

**Issue**: Hard-coded sast found ([sast:aljefra/taint-path-traversal] Path Traversal via Tainted Data)
**File**: hooks/session-start-hook.ts
**Line**: 45
**Severity**: HIGH

**Current code around the issue:**
```
      40 |   const current = fs.readFileSync(targetFile, 'utf-8');
      41 | 
      42 |   // Idempotent: skip if already patched this version
      43 |   if (current.includes(PATCH_MARKER)) return;
      44 | 
>>>   45 |   const step0Content = fs.readFileSync(STEP0_FILE, 'utf-8');
      46 |   const injectionPoint = current.indexOf(INJECT_BEFORE);
      47 | 
      48 |   if (injectionPoint === -1) {
      49 |     console.log(`⚠️  code-reviewer patch: injection point "${INJECT_BEFORE}" not found in v${latestVersion} — skipping`);
      50 |     return;
```

**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated

**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment

Fix a hardcoded credential in repository 'skinnyandbald__fish-skills'.

**Issue**: Hard-coded sast found ([sast:aljefra/taint-path-traversal] Path Traversal via Tainted Data)
**File**: hooks/session-start-hook.ts
**Line**: 59
**Severity**: HIGH

**Current code around the issue:**
```
      54 |     current.slice(0, injectionPoint)
      55 |     + PATCH_MARKER + '\n'
      56 |     + step0Content + '\n'
      57 |     + current.slice(injectionPoint);
      58 | 
>>>   59 |   fs.writeFileSync(targetFile, patched);
      60 |   console.log(`✅ Patched superpowers code-reviewer.md (v${latestVersion}) with knowledge-lookup Step 0`);
      61 | }
      62 | 
      63 | async function main() {
      64 |   try {
```

**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated

**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment

Fix a hardcoded credential in repository 'skinnyandbald__fish-skills'.

**Issue**: Hard-coded sast found ([sast:aljefra/taint-path-traversal] Path Traversal via Tainted Data)
**File**: skills/capture-learning/scripts/capture-learning.ts
**Line**: 191
**Severity**: HIGH

**Current code around the issue:**
```
     186 | 
     187 | *This narrative learning was captured to help us remember not just the solution, but the entire problem-solving journey and the thinking that led us to the answer.*
     188 | `;
     189 |     
     190 |     // Write the file
>>>  191 |     fs.writeFileSync(filepath, content);
     192 | 
     193 |     console.log(`\n✅ Learning captured with full narrative!`);
     194 |     console.log(`📁 Saved to: ${filepath}`);
     195 | 
     196 |     // Ask whether to promote to global cross-project patterns
```

**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated

**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment

Address OWASP A02 (Cryptographic Failures) compliance gap in 'skinnyandbald__fish-skills'.

**OWASP Category**: A02 -- Cryptographic Failures
**Fix guidance**: Remove hardcoded secrets, use strong encryption (AES-256-GCM), enforce TLS, never store passwords in plaintext (use bcrypt/argon2).

**Steps:**
1. Identify all code paths related to cryptographic failures
2. Apply the fixes described above
3. Add automated tests to verify the fix
4. Document any security assumptions in code comments

Address OWASP A06 (Vulnerable Components) compliance gap in 'skinnyandbald__fish-skills'.

**OWASP Category**: A06 -- Vulnerable Components
**Fix guidance**: Update all dependencies to latest stable versions, remove unused dependencies, monitor for new CVEs.

**Steps:**
1. Identify all code paths related to vulnerable components
2. Apply the fixes described above
3. Add automated tests to verify the fix
4. Document any security assumptions in code comments

Repository 'skinnyandbald__fish-skills' is failing the quality gate.

Failed conditions:
- overall_score: actual 0.0 >= 50 (FAILED)
- security_score: actual 0.0 >= 40 (FAILED)
- critical_vulnerabilities: actual 1.0 <= 0 (FAILED)

Fix each failing condition to make the repo pass the quality gate.

Repository 'skinnyandbald__fish-skills' has 10 open issues:

- [CRITICAL] GHSA-8r6j-v8pm-fqw3: fsevents
- [HIGH] Hard-coded sast: [sast:aljefra/taint-path-traversal] Path Traversal via Tainted Data (hooks/session-start-hook.ts)
- [HIGH] GHSA-q8pj-2vqx-8ggc: css-what
- [HIGH] Hard-coded sast: [sast:aljefra/taint-path-traversal] Path Traversal via Tainted Data (hooks/session-start-hook.ts)
- [HIGH] Hard-coded sast: [sast:aljefra/taint-path-traversal] Path Traversal via Tainted Data (skills/capture-learning/scripts/capture-learning.ts)
- [HIGH] GHSA-p28h-cc7q-c4fg: css-what
- [HIGH] Hard-coded sast: [sast:aljefra/path-traversal-join] Path Traversal via Path Join with Input (hooks/session-start-hook.ts)
- [HIGH] Hard-coded sast: [sast:aljefra/taint-path-traversal] Path Traversal via Tainted Data (hooks/session-start-hook.ts)
- [HIGH] GHSA-r6ch-mqf9-qc9w: undici
- [HIGH] GHSA-rp65-9cf3-cjxr: nth-check

Resolve each issue. For security issues, apply the appropriate fix. For quality issues, refactor the affected code.

Static analysis found 5 security issues in 'skinnyandbald__fish-skills':

- [HIGH] [sast:aljefra/path-traversal-join] Path Traversal via Path Join with Input at hooks/session-start-hook.ts:36
- [HIGH] [sast:aljefra/taint-path-traversal] Path Traversal via Tainted Data at hooks/session-start-hook.ts:40
- [HIGH] [sast:aljefra/taint-path-traversal] Path Traversal via Tainted Data at hooks/session-start-hook.ts:45
- [HIGH] [sast:aljefra/taint-path-traversal] Path Traversal via Tainted Data at hooks/session-start-hook.ts:59
- [HIGH] [sast:aljefra/taint-path-traversal] Path Traversal via Tainted Data at skills/capture-learning/scripts/capture-learning.ts:191

For each finding:
- SQL injection: use parameterized queries
- Command injection: use subprocess with list args, no shell=True
- Path traversal: validate and sanitize paths
- Insecure deserialization: use json instead of pickle
- IaC misconfigs: apply the suggested fix from the rule