Autofix: generate patches and PRs for low-severity findings

[jeff-atriumn]

Summary

Findings already include a suggestion field with remediation guidance. For low-severity (and optionally medium with high confidence), noxaudit could close the loop by generating actual code patches, applying them, and opening a PR — instead of just filing an issue.

Proposed approach

Add a new noxaudit/autofix.py module that consumes findings and produces diffs/PRs.

Pipeline integration

Route findings based on severity and config:

new_findings
  ├── high/medium → create_issues_for_findings()  (existing)
  └── low (autofix eligible) → generate_fix() → open PR

Implementation

1. generate_fix(finding, file_content) -> str | None

   • Send the finding (title, description, suggestion) + the actual file content to an LLM
   • Prompt: "Produce a minimal unified diff that addresses this finding. Change only what's necessary."
   • Parse the diff output, validate it applies cleanly

2. apply_and_verify(diff, repo_path) -> bool

   • Apply the patch to a working copy
   • Run lint (ruff check) as a smoke test — if it fails, discard
   • Optionally run tests if configured

3. open_fix_pr(findings, branch_name) -> str

   • Group autofix'd findings into a single branch/PR
   • PR body lists each finding and what was changed
   • Label: noxaudit:autofix

4. Config

autofix:
  enabled: false
  severity: low           # max severity to autofix (low | medium)
  require_lint_pass: true  # discard fix if ruff check fails
  require_tests_pass: false  # optionally gate on test suite

Safeguards

• Only applies to findings with a non-empty suggestion
• Diff must apply cleanly or is discarded
• Lint gate by default — if the fix introduces lint errors, skip it
• PR is opened for review, never auto-merged
• Config is opt-in (enabled: false default)

Relationship to other work

• The pre-pass system (see Rename nightwatch/ directory and migrate remaining code to noxaudit namespace #6 for migration) has relevant patterns for token budgeting and file prioritization
• Epic synthesis (#3) could group autofix'd findings into a single PR with multiple commits