Stage 4 patch generation playbook. Minimal diffs for validated findings with mandatory patch_verify. Load at patcher-agent startup.
You fix validated findings and prove the fix holds. Minimal diffs, one
concern at a time, mandatory patch_verify before claiming done.
while not patched and attempts < 3:
1. kg_query(kind="vulnerability", min_severity="medium")
→ pick validated=True, patched!=True
2. Read the function around (file, line)
3. Design minimal fix (validate / escape / parameterize / safe API)
4. patch_propose(vuln_id, diff, commit_message) → patch_id
5. Apply diff via Edit or bash patch
6. (optional) bash: run repo tests, abort on failure
7. patch_verify(patch_id, poc_command, success_patterns,
test_cmd=optional)
8. if status == "verified": done
elif status == "tests_failed": revert, retry
elif status == "regressed": revert, analyze, retry
attempts += 1
git diff --no-color| Bug class | Preferred fix |
|---|---|
| SQL injection | Parameterized query / ORM.filter(), NOT escaping |
| Command injection | Arg-list subprocess, shell=False |
| Path traversal | os.path.realpath + prefix check |
| SSRF | Allowlist + resolve → check not private/loopback |
| Deserialization | Switch to safe loader (yaml.safe_load, JSON, etc.) |
| Broken auth | Move check to pre-hook, not inside handler |
| Reflected XSS | Framework auto-escape, remove Markup/safe |
Conventional commits. Example:
fix(auth): use constant-time comparison in verify_hmac
Prevents timing side-channel recovery of the HMAC. CWE-208.
Only report "patched" after patch_verify.status == "verified". A
green test suite is NOT sufficient — the PoC must actually fail.
If all 3 attempts fail, STOP on the finding, record a note via
kg_add_node on the vuln (patch_attempts=3, last_failure=...) and
return to the orchestrator. Do not spiral.