the-frame-ai 0.9.5 → 0.9.6

package/README.de.md

@@ -126,12 +126,31 @@ Führe `/frame:research <Thema>` aus — Claude erkundet die Codebasis, externe
 # → Bericht gespeichert unter .planning/reports/security/security-{date}.md
 # → STATE.md mit Security Status aktualisiert
 
-# Bei CRITICAL-Befunden:
-# ⛔ Ship BLOCKIERT. Kritische Befunde vor /frame:ship beheben.
-# → Bericht öffnen, jeden CRITICAL-Punkt beheben, /frame:security erneut ausführen
+# Bei CRITICAL oder HIGH Befunden:
+# ⛔ Ship BLOCKIERT. Führe /frame:security-fix aus um kritische Befunde zu beheben.
+
+/frame:security-fix
+# → liest den letzten Bericht und behebt Befunde nach Priorität:
+#   CRITICAL zuerst, dann HIGH
+#   - entfernt .env aus Git-Tracking (git rm --cached)
+#   - fügt fehlende Security-Header zu next.config.js / Express hinzu
+#   - fügt CSRF-Schutz für Route Handler hinzu
+#   - führt npm audit fix für verwundbare Abhängigkeiten aus
+#   - behebt Dockerfile: fügt USER-Direktive hinzu, ersetzt :latest
+#   - für Secrets bereits in der History: erklärt genau wie rotieren + History neu schreiben
+# → verifiziert jeden Fix nach der Anwendung
+# → aktualisiert STATE.md: entsperrt Ship wenn alle CRITICAL behoben
+
+# Gezielte Fixes:
+/frame:security-fix critical     # nur CRITICAL beheben
+/frame:security-fix high         # nur HIGH beheben
+/frame:security-fix SEC-1        # bestimmten Befund per ID beheben
+
+/frame:security
+# → Audit erneut ausführen um zu bestätigen dass alles sauber ist
 
 # Wenn alles sauber:
-# ✓ Keine kritischen Probleme. Sicher fortzufahren.
+# ✓ Keine kritischen Probleme. Sicher mit /frame:ship fortzufahren.
 
 /frame:ship
 # → Sicherheitsprüfung bestanden, commit und push
@@ -256,6 +275,7 @@ Diese 7 Befehle decken 90% der Solo-Dev-Arbeit ab:
 |--------|---------------|
 | `/frame:review` | Vor dem Deployment — automatisierte Prüfungen + Checkliste |
 | `/frame:security` | Tiefer Sicherheitsaudit: Secrets, OWASP, Infrastruktur, KI/LLM-Risiken |
+| `/frame:security-fix` | Befunde aus dem letzten Sicherheitsbericht beheben (CRITICAL zuerst, dann HIGH) |
 | `/frame:health` | Vollständiger Projekt-Gesundheitscheck |
 | `/frame:check-deps` | Sicherheitsaudit + veraltete Pakete |
 | `/frame:performance` | Bundle-Größe und Lighthouse-Audit |

package/README.es.md

@@ -126,12 +126,31 @@ Ejecuta `/frame:research <tema>` — Claude explora la base de código, fuentes
 # → informe guardado en .planning/reports/security/security-{date}.md
 # → STATE.md actualizado con Security Status
 
-# Si hay hallazgos CRITICAL:
-# ⛔ Ship BLOQUEADO. Corrige los hallazgos críticos antes de /frame:ship.
-# → abre el informe, corrige cada punto CRITICAL, vuelve a ejecutar /frame:security
+# Si hay hallazgos CRITICAL o HIGH:
+# ⛔ Ship BLOQUEADO. Ejecuta /frame:security-fix para corregir los hallazgos críticos.
+
+/frame:security-fix
+# → lee el último informe y corrige hallazgos por prioridad:
+#   CRITICAL primero, luego HIGH
+#   - elimina .env del seguimiento de git (git rm --cached)
+#   - añade security headers faltantes a next.config.js / Express
+#   - añade protección CSRF a Route Handlers
+#   - ejecuta npm audit fix para dependencias vulnerables
+#   - corrige Dockerfile: añade directiva USER, reemplaza :latest
+#   - para secretos ya en el historial: explica exactamente cómo rotar + reescribir historial
+# → verifica cada corrección después de aplicarla
+# → actualiza STATE.md: desbloquea ship si todos los CRITICAL están resueltos
+
+# Correcciones específicas:
+/frame:security-fix critical     # corregir solo CRITICAL
+/frame:security-fix high         # corregir solo HIGH
+/frame:security-fix SEC-1        # corregir un hallazgo específico por ID
+
+/frame:security
+# → volver a ejecutar auditoría para confirmar que todo está limpio
 
 # Si todo está limpio:
-# ✓ Sin problemas críticos. Seguro para continuar.
+# ✓ Sin problemas críticos. Seguro para continuar con /frame:ship.
 
 /frame:ship
 # → verificación de seguridad superada, commit y push
@@ -256,6 +275,7 @@ Estos 7 comandos cubren el 90% del trabajo de desarrollo en solitario:
 |---------|--------------|
 | `/frame:review` | Antes de desplegar — verificaciones automatizadas + lista de comprobación |
 | `/frame:security` | Auditoría de seguridad profunda: secretos, OWASP, infraestructura, riesgos IA/LLM |
+| `/frame:security-fix` | Corregir hallazgos del último informe de seguridad (CRITICAL primero, luego HIGH) |
 | `/frame:health` | Verificación completa del estado del proyecto |
 | `/frame:check-deps` | Auditoría de seguridad + paquetes desactualizados |
 | `/frame:performance` | Auditoría de tamaño de bundle y Lighthouse |

package/README.hi.md

@@ -126,12 +126,31 @@ FRAME — AI-सहायता प्राप्त एकल विकास
 # → रिपोर्ट .planning/reports/security/security-{date}.md में सहेजी जाती है
 # → STATE.md Security Status के साथ अपडेट होता है
 
-# CRITICAL निष्कर्ष होने पर:
-# ⛔ Ship BLOCKED. /frame:ship से पहले critical findings ठीक करें।
-# → रिपोर्ट खोलें, प्रत्येक CRITICAL आइटम ठीक करें, /frame:security फिर चलाएं
+# CRITICAL या HIGH निष्कर्ष होने पर:
+# ⛔ Ship BLOCKED. Critical findings ठीक करने के लिए /frame:security-fix चलाएं।
+
+/frame:security-fix
+# → नवीनतम रिपोर्ट पढ़ता है और प्राथमिकता के अनुसार findings ठीक करता है:
+#   पहले CRITICAL, फिर HIGH
+#   - .env को git tracking से हटाता है (git rm --cached)
+#   - next.config.js / Express में missing security headers जोड़ता है
+#   - Route Handlers पर CSRF protection जोड़ता है
+#   - vulnerable dependencies के लिए npm audit fix चलाता है
+#   - Dockerfile ठीक करता है: USER directive जोड़ता है, :latest बदलता है
+#   - history में पहले से मौजूद secrets के लिए: rotate + history rewrite कैसे करें बताता है
+# → प्रत्येक fix लागू करने के बाद verify करता है
+# → STATE.md अपडेट करता है: सभी CRITICAL हल होने पर ship unblock करता है
+
+# Targeted fixes:
+/frame:security-fix critical     # केवल CRITICAL ठीक करें
+/frame:security-fix high         # केवल HIGH ठीक करें
+/frame:security-fix SEC-1        # ID से specific finding ठीक करें
+
+/frame:security
+# → सब कुछ साफ है यह confirm करने के लिए audit फिर चलाएं
 
 # सब कुछ साफ होने पर:
-# ✓ कोई critical समस्या नहीं। आगे बढ़ना सुरक्षित है।
+# ✓ कोई critical समस्या नहीं। /frame:ship के साथ आगे बढ़ना सुरक्षित है।
 
 /frame:ship
 # → security check पास, commit और push
@@ -256,6 +275,7 @@ npx the-frame-ai init
 |-------|--------------|
 | `/frame:review` | डिप्लॉय करने से पहले — स्वचालित जांच + चेकलिस्ट |
 | `/frame:security` | गहरा सुरक्षा ऑडिट: secrets, OWASP, infrastructure, AI/LLM risks |
+| `/frame:security-fix` | नवीनतम रिपोर्ट से findings ठीक करें (पहले CRITICAL, फिर HIGH) |
 | `/frame:health` | पूर्ण प्रोजेक्ट स्वास्थ्य जांच |
 | `/frame:check-deps` | सुरक्षा ऑडिट + पुराने पैकेज |
 | `/frame:performance` | Bundle आकार और Lighthouse ऑडिट |

package/README.ja.md

@@ -126,12 +126,31 @@ Claude Codeで一人でプロダクトを作っていて、チームのように
 # → レポートは .planning/reports/security/security-{date}.md に保存
 # → STATE.md が Security Status で更新
 
-# CRITICAL な発見がある場合：
-# ⛔ Ship がブロックされました。/frame:ship の前に重大な発見を修正してください。
-# → レポートを開き、各 CRITICAL 項目を修正し、/frame:security を再実行
+# CRITICAL または HIGH な発見がある場合：
+# ⛔ Ship がブロックされました。/frame:security-fix を実行して修正してください。
+
+/frame:security-fix
+# → 最新レポートを読み込み、優先度順に発見を修正：
+#   CRITICAL を先に、次に HIGH
+#   - .env を git トラッキングから削除（git rm --cached）
+#   - next.config.js / Express に不足している security headers を追加
+#   - Route Handlers に CSRF 保護を追加
+#   - 脆弱な依存関係に npm audit fix を実行
+#   - Dockerfile を修正：USER ディレクティブを追加、:latest を置換
+#   - 既に履歴にあるシークレット：ローテーションと履歴書き換えの手順を説明
+# → 各修正を適用後に検証
+# → STATE.md を更新：全 CRITICAL 解決後に ship をアンブロック
+
+# ターゲット修正：
+/frame:security-fix critical     # CRITICAL のみ修正
+/frame:security-fix high         # HIGH のみ修正
+/frame:security-fix SEC-1        # ID で特定の発見を修正
+
+/frame:security
+# → 全てクリーンであることを確認するために監査を再実行
 
 # クリーンな場合：
-# ✓ 重大な問題なし。安全に進められます。
+# ✓ 重大な問題なし。/frame:ship で安全に進められます。
 
 /frame:ship
 # → セキュリティチェック通過、コミットとプッシュ
@@ -256,6 +275,7 @@ npx the-frame-ai init
 |---------|-------------|
 | `/frame:review` | デプロイ前 — 自動チェック + チェックリスト |
 | `/frame:security` | 深度セキュリティ監査：シークレット、OWASP、インフラ、AI/LLMリスク |
+| `/frame:security-fix` | 最新セキュリティレポートの発見を修正（CRITICAL 優先、次に HIGH） |
 | `/frame:health` | プロジェクト全体のヘルスチェック |
 | `/frame:check-deps` | セキュリティ監査 + 古いパッケージ |
 | `/frame:performance` | バンドルサイズとLighthouse監査 |

package/README.md

@@ -154,12 +154,31 @@ Run `/frame:research <topic>` — Claude explores the codebase, external sources
 # → report saved to .planning/reports/security/security-{date}.md
 # → STATE.md updated with Security Status
 
-# If CRITICAL findings:
-# ⛔ Ship BLOCKED. Fix critical findings before /frame:ship.
-# → open the report, fix each CRITICAL item, re-run /frame:security
+# If CRITICAL or HIGH findings:
+# ⛔ Ship BLOCKED. Run /frame:security-fix to fix critical findings.
+
+/frame:security-fix
+# → reads the latest report and fixes findings by priority:
+#   CRITICAL first, then HIGH
+#   - removes .env files from git tracking (git rm --cached)
+#   - adds missing security headers to next.config.js / Express
+#   - adds CSRF protection to Route Handlers
+#   - runs npm audit fix for vulnerable dependencies
+#   - fixes Dockerfile: adds USER directive, pins :latest tags
+#   - for secrets already in history: tells you exactly how to rotate + rewrite history
+# → verifies each fix after applying
+# → updates STATE.md: unblocks ship if all CRITICAL resolved
+
+# Targeted fixes:
+/frame:security-fix critical     # fix only CRITICAL findings
+/frame:security-fix high         # fix only HIGH findings
+/frame:security-fix SEC-1        # fix a specific finding by ID
+
+/frame:security
+# → re-run audit to confirm everything is clean
 
 # If clean:
-# ✓ No critical issues. Safe to proceed.
+# ✓ No critical issues. Safe to proceed with /frame:ship.
 
 /frame:ship
 # → security check passes, commit and push
@@ -258,6 +277,7 @@ These 7 commands cover 90% of solo dev work:
 |---------|-------------|
 | `/frame:review` | Before deploying — automated checks + checklist |
 | `/frame:security` | Deep security audit: secrets, OWASP, infra, AI/LLM risks |
+| `/frame:security-fix` | Fix findings from the latest security report (CRITICAL first, then HIGH) |
 | `/frame:health` | Full project health check |
 | `/frame:check-deps` | Dependency vulnerabilities + outdated packages |
 | `/frame:performance` | Bundle size and Lighthouse audit |

package/README.ru.md

@@ -124,12 +124,31 @@ Research → Plan → Build → Review → Ship → Reflect
 # → отчёт сохраняется в .planning/reports/security/security-{date}.md
 # → STATE.md обновляется с Security Status
 
-# Если найдены CRITICAL-проблемы:
-# ⛔ Ship ЗАБЛОКИРОВАН. Исправь критические находки перед /frame:ship.
-# → открой отчёт, исправь каждый CRITICAL-пункт, запусти /frame:security снова
+# Если найдены CRITICAL или HIGH проблемы:
+# ⛔ Ship ЗАБЛОКИРОВАН. Запусти /frame:security-fix чтобы исправить.
+
+/frame:security-fix
+# → читает последний отчёт и исправляет находки по приоритету:
+#   сначала CRITICAL, потом HIGH
+#   - убирает .env из git-трекинга (git rm --cached)
+#   - добавляет security headers в next.config.js / Express
+#   - добавляет CSRF-защиту на Route Handlers
+#   - запускает npm audit fix для уязвимых зависимостей
+#   - фиксит Dockerfile: добавляет USER, заменяет :latest на конкретную версию
+#   - для секретов уже в истории: говорит точно как ротировать + переписать историю
+# → проверяет каждый фикс после применения
+# → обновляет STATE.md: разблокирует ship если все CRITICAL устранены
+
+# Точечные фиксы:
+/frame:security-fix critical     # исправить только CRITICAL
+/frame:security-fix high         # исправить только HIGH
+/frame:security-fix SEC-1        # исправить конкретную находку по ID
+
+/frame:security
+# → повторный аудит чтобы убедиться что всё чисто
 
 # Если всё чисто:
-# ✓ Критических проблем нет. Можно продолжать.
+# ✓ Критических проблем нет. Можно продолжать с /frame:ship.
 
 /frame:ship
 # → проверка безопасности пройдена, коммит и пуш
@@ -254,6 +273,7 @@ npx the-frame init
 |---------|-------------------|
 | `/frame:review` | Перед деплоем — автоматические проверки + чеклист |
 | `/frame:security` | Глубокий аудит безопасности: секреты, OWASP, инфра, AI/LLM-риски |
+| `/frame:security-fix` | Исправить находки из последнего отчёта (сначала CRITICAL, потом HIGH) |
 | `/frame:health` | Полная проверка здоровья проекта |
 | `/frame:check-deps` | Аудит безопасности + устаревшие пакеты |
 | `/frame:performance` | Размер бандла и Lighthouse-аудит |

package/README.zh.md

@@ -126,12 +126,31 @@ FRAME — 面向 AI 辅助独立开发的框架
 # → 报告保存至 .planning/reports/security/security-{date}.md
 # → STATE.md 更新 Security Status
 
-# 如果发现 CRITICAL 问题：
-# ⛔ Ship 已阻止。在 /frame:ship 之前修复严重发现。
-# → 打开报告，修复每个 CRITICAL 项，重新运行 /frame:security
+# 如果发现 CRITICAL 或 HIGH 问题：
+# ⛔ Ship 已阻止。运行 /frame:security-fix 修复严重发现。
+
+/frame:security-fix
+# → 读取最新报告并按优先级修复发现：
+#   先修复 CRITICAL，再修复 HIGH
+#   - 从 git 跟踪中移除 .env（git rm --cached）
+#   - 向 next.config.js / Express 添加缺失的 security headers
+#   - 为 Route Handlers 添加 CSRF 保护
+#   - 对有漏洞的依赖运行 npm audit fix
+#   - 修复 Dockerfile：添加 USER 指令，替换 :latest
+#   - 对已在历史记录中的密钥：说明如何轮换 + 重写历史
+# → 应用后验证每个修复
+# → 更新 STATE.md：所有 CRITICAL 解决后解除 ship 阻止
+
+# 针对性修复：
+/frame:security-fix critical     # 仅修复 CRITICAL
+/frame:security-fix high         # 仅修复 HIGH
+/frame:security-fix SEC-1        # 按 ID 修复特定发现
+
+/frame:security
+# → 重新运行审计确认一切正常
 
 # 如果一切正常：
-# ✓ 没有严重问题。可以安全继续。
+# ✓ 没有严重问题。可以安全继续 /frame:ship。
 
 /frame:ship
 # → 安全检查通过，提交并推送
@@ -256,6 +275,7 @@ npx the-frame-ai init
 |------|---------|
 | `/frame:review` | 部署前——自动化检查 + 清单 |
 | `/frame:security` | 深度安全审计：密钥、OWASP、基础设施、AI/LLM 风险 |
+| `/frame:security-fix` | 修复最新安全报告中的发现（先 CRITICAL，再 HIGH） |
 | `/frame:health` | 完整项目健康检查 |
 | `/frame:check-deps` | 安全审计 + 过时包 |
 | `/frame:performance` | Bundle 大小和 Lighthouse 审计 |

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "the-frame-ai",
-  "version": "0.9.5",
+  "version": "0.9.6",
   "description": "FRAME — Framework for AI-Assisted Solo Development",
   "type": "module",
   "bin": {

package/templates/commands/frame:security-fix.md

@@ -0,0 +1,260 @@
+# /frame:security-fix — Fix Security Findings
+
+Fix security issues found by `/frame:security`. Reads the latest report and guides through fixes by priority: CRITICAL first, then HIGH.
+
+## Subcommands
+
+- `/frame:security-fix` — fix all findings from latest report
+- `/frame:security-fix critical` — fix only CRITICAL findings
+- `/frame:security-fix high` — fix only HIGH findings
+- `/frame:security-fix <finding-id>` — fix a specific finding (e.g. `SEC-1`)
+
+## Instructions
+
+### Step 0: Find Latest Report
+
+```bash
+REPORT=$(ls -t .planning/reports/security/security-*.md 2>/dev/null | head -1)
+[ -z "$REPORT" ] && echo "NO_REPORT" || echo "$REPORT"
+```
+
+If no report found → **STOP**:
+```
+❌ No security report found. Run /frame:security first.
+```
+
+Read the report and extract all findings with their severity, category, file, and line number.
+
+Parse `$ARGUMENTS`:
+- Empty → fix all CRITICAL + HIGH findings
+- `critical` → fix only CRITICAL
+- `high` → fix only HIGH
+- `SEC-N` → fix only that finding
+
+**Heartbeat**: "Found report: {REPORT}. Starting fixes..."
+
+### Step 1: Show Fix Plan
+
+Before making any changes, output a numbered plan:
+
+```
+Security Fix Plan
+─────────────────
+CRITICAL ({N}):
+  [SEC-1] {category}: {short description} — {file}:{line}
+  ...
+
+HIGH ({N}):
+  [SEC-N] {category}: {short description} — {file}:{line}
+  ...
+
+Starting with CRITICAL findings...
+```
+
+### Step 2: Fix CRITICAL Findings
+
+For each CRITICAL finding, apply the appropriate fix pattern:
+
+**Secrets in git (.env committed):**
+```bash
+# Remove from git tracking (do NOT delete the file)
+git rm --cached {file}
+echo "{file}" >> .gitignore
+```
+Then output:
+```
+⚠️  MANUAL ACTION REQUIRED:
+1. Rotate ALL secrets in {file} — they are compromised (in git history)
+2. Run: git filter-repo --path {file} --invert-paths
+   (or use BFG: https://rtyley.github.io/bfg-repo-cleaner/)
+3. Force-push to remote after history rewrite
+```
+
+**Secret hardcoded in source file:**
+- Replace the hardcoded value with `process.env.{VAR_NAME}` (or language equivalent)
+- Add `{VAR_NAME}=your_value_here` to `.env.example`
+- Add `.env` to `.gitignore` if not already there
+
+**SQL Injection (string concatenation):**
+- Replace string concatenation with parameterized query / prepared statement
+- Show before/after diff
+
+**Command Injection (exec with user input):**
+- Replace `exec(userInput)` with `execFile` + argument array, or validate/sanitize input
+
+**Path Traversal:**
+- Add `path.resolve` + check that result starts with allowed base directory
+
+**Heartbeat**: "CRITICAL fixes applied. Moving to HIGH findings..."
+
+### Step 3: Fix HIGH Findings
+
+**Secrets in .env committed to git:**
+Same as CRITICAL secrets pattern above.
+
+**.dockerignore missing or exposing .env:**
+- If `.dockerignore` missing: create it with standard ignores
+- If `.dockerignore` has `!.env*` line: remove it
+
+```
+# .dockerignore
+.env
+.env.*
+!.env.example
+.git
+node_modules
+```
+
+**Missing CSRF protection (Next.js App Router / Express):**
+
+For Next.js Route Handlers — add token validation:
+```typescript
+// lib/csrf.ts
+import { headers } from 'next/headers'
+
+export function validateCsrf() {
+  const origin = headers().get('origin')
+  const host = headers().get('host')
+  if (!origin || !origin.includes(host ?? '')) {
+    throw new Error('CSRF validation failed')
+  }
+}
+```
+Then call `validateCsrf()` at the top of each mutating Route Handler (POST/PUT/DELETE).
+
+For Express — add `csurf` or `csrf-csrf` middleware.
+
+**Missing HTTP security headers (Next.js):**
+
+Add to `next.config.js` / `next.config.ts`:
+```javascript
+const securityHeaders = [
+  { key: 'X-Frame-Options', value: 'SAMEORIGIN' },
+  { key: 'X-Content-Type-Options', value: 'nosniff' },
+  { key: 'Strict-Transport-Security', value: 'max-age=63072000; includeSubDomains; preload' },
+  { key: 'Referrer-Policy', value: 'strict-origin-when-cross-origin' },
+  { key: 'Permissions-Policy', value: 'camera=(), microphone=(), geolocation=()' },
+]
+
+// In nextConfig:
+headers: async () => [{ source: '/(.*)', headers: securityHeaders }]
+```
+
+For Express:
+```bash
+npm install helmet
+```
+```javascript
+import helmet from 'helmet'
+app.use(helmet())
+```
+
+**Vulnerable dependencies:**
+```bash
+npm audit fix
+```
+If `npm audit fix` can't resolve automatically:
+```bash
+npm audit fix --force
+```
+If still unresolved — output:
+```
+⚠️  Manual update needed for {package}:
+    npm install {package}@{safe-version}
+    Check changelog for breaking changes: {url}
+```
+
+**Dockerfile running as root:**
+Add before the last `CMD`/`ENTRYPOINT`:
+```dockerfile
+RUN addgroup --system appgroup && adduser --system --ingroup appgroup appuser
+USER appuser
+```
+
+**Dockerfile using :latest tag:**
+- Replace `FROM image:latest` with `FROM image:{specific-version}`
+- Check Docker Hub for the current stable version
+
+**Heartbeat**: "HIGH fixes applied. Running verification..."
+
+### Step 4: Verify Fixes
+
+Re-run targeted scans for each fixed category:
+
+```bash
+# Re-check secrets
+git ls-files 2>/dev/null | grep -iE '\.env$|\.env\.' | grep -v '\.env\.example' | grep -v '\.env\.template'
+
+# Re-check .dockerignore
+[ -f .dockerignore ] && grep -E '!\.env' .dockerignore && echo "STILL_EXPOSED" || echo "OK"
+
+# Re-check security headers
+grep -rn 'X-Frame-Options\|Strict-Transport-Security' next.config.* 2>/dev/null | head -5
+```
+
+For each fixed finding: output `✓ SEC-{N} verified` or `✗ SEC-{N} still present — {reason}`.
+
+### Step 5: Update Report
+
+Append to the existing report:
+
+```markdown
+## Fix Session — {date}
+
+| Finding | Status | Fix Applied |
+|---------|--------|-------------|
+| SEC-1 | ✓ Fixed | {description} |
+| SEC-2 | ✓ Fixed | {description} |
+| SEC-3 | ⚠️ Manual action required | {what user must do} |
+```
+
+### Step 6: Update STATE.md
+
+If all CRITICAL findings are resolved:
+```markdown
+- Security Status: HIGH (was CRITICAL — critical findings resolved)
+- Ship: UNBLOCKED
+```
+
+If CRITICAL findings remain:
+```markdown
+- Security Status: CRITICAL
+- Ship: BLOCKED — {N} critical findings remain
+```
+
+### Step 7: Final Output
+
+```
+Security Fix Complete
+─────────────────────
+Fixed:   {N} findings
+Manual:  {N} findings require your action
+Remain:  {N} findings (not in scope or couldn't auto-fix)
+
+{If all CRITICAL resolved:}
+✓ Ship UNBLOCKED. Run /frame:security to confirm, then /frame:ship.
+
+{If CRITICAL remain:}
+⛔ Ship still BLOCKED. {N} critical findings need manual action (see above).
+
+{If manual actions needed:}
+⚠️  Manual actions required:
+{numbered list of each manual step}
+```
+
+## Rules
+
+- **ALWAYS create a git checkpoint before making changes**: `git stash` or note current state
+- **NEVER delete .env files** — only remove from git tracking with `git rm --cached`
+- **NEVER auto-rotate secrets** — always tell the user to rotate manually
+- **NEVER run `git filter-repo` automatically** — it rewrites history, user must confirm
+- **ALWAYS verify** each fix after applying it
+- **ALWAYS explain** what was changed and why
+- **For npm audit fix --force**: warn about potential breaking changes before running
+
+## Result
+
+- Security findings fixed or documented with manual steps
+- Report updated with fix session
+- STATE.md updated (ship unblocked if CRITICAL resolved)
+- User knows exactly what manual actions remain

package/templates/commands/frame:security.md

@@ -395,8 +395,12 @@ Security audit complete.
 Critical: {N} | High: {N} | Medium: {N} | Low: {N}
 Report: .planning/reports/security/security-{date}.md
 
-{If critical: "⛔ Ship BLOCKED. Fix critical findings before /frame:ship."}
-{If no critical: "✓ No critical issues. Safe to proceed."}
+{If critical:
+"⛔ Ship BLOCKED. Run /frame:security-fix to fix critical findings."}
+{If high but no critical:
+"⚠️  No critical issues, but HIGH findings need attention. Run /frame:security-fix high."}
+{If no critical and no high:
+"✓ No critical issues. Safe to proceed with /frame:ship."}
 ```
 
 ## Rules