FixVibe

// docs / ai fix prompts

AI 修復提示

每個發現項目的修復建議下方都有 Copy fix prompt 按鈕。點一下、貼到 Claude / Cursor / Copilot,agent 就會取得該漏洞在你程式碼框架中的標準修復配方;我們不會呼叫 Claude API。

運作方式

點擊時會結合兩份資料:

  • The finding — the issue summary, affected surface, remediation guidance, and safe evidence needed to help your coding agent fix it.
  • Your app context — FixVibe uses scan context when available to choose a framework-aware remediation shape, and falls back to a generic recipe when it cannot infer enough context.

Fix prompts are rendered server-side from FixVibe remediation guidance. They are designed for copy-paste use in Cursor, Claude Desktop, Copilot, or another coding agent without exposing the internal prompt registry in the browser.

提示長什麼樣

Fix the "Reflected XSS in /search?q=" vulnerability at /search.

Issue: Query parameter q is rendered into the response body without
escaping; an attacker can inject <script> via crafted URLs.

Codebase context: Next.js.

Recommended fix:
In Next.js, render user-supplied values through JSX ({value}) so React's
automatic escaping kicks in. For server components rendering rich HTML,
sanitize with DOMPurify (server-side via JSDOM) before output.

Constraints:
- Don't break existing tests; run the test suite after the change.
- Match the codebase's existing style and lint config.
- Add a brief comment explaining the security reasoning only where the
  fix would otherwise look arbitrary.
- If the fix needs a new dependency, install it via the project's
  package manager (npm / pnpm / pip / bundle / composer).

Reference: CWE-79 — see https://cwe.mitre.org/data/definitions/79.html

支援的框架

我們會針對以下框架提供特定片段:

  • Next.js、React、Vue、Nuxt、Svelte(frontend)
  • Express、Fastify(Node.js backend)
  • Django、Flask(Python)
  • Ruby on Rails
  • Laravel(PHP)
  • ASP.NET Core fallback guidance

Framework context is best-effort. If FixVibe cannot infer enough safely from the scan, the prompt asks your coding agent to inspect the repository before applying the fix.

從你的 AI agent 使用

如果你已經接好 MCP 伺服器,同一份提示也會以 slash command 形式公開。從 Claude Desktop:

/fixvibe-fix finding_id=550e8400-e29b-41d4-a716-446655440000

The server looks up the finding, applies available scan context, renders the remediation prompt, and injects it into your conversation as the user message. No third-party LLM API call is made by FixVibe for this templated prompt.

為什麼我們不在每次點擊時呼叫 Claude

推出前,我們曾考慮每次點擊都呼叫 Anthropic API,用 codebase context 精煉提示。最後沒有這麼做,原因是:

  • 使用者貼入的 agent 已經有 codebase context:他們是在開著 repo 的 Cursor / Claude Desktop 裡使用。
  • Server-side templating covers the common remediation paths without any per-click model call.
  • 未來可以加入「Refine with AI for my codebase」的 opt-in,讓想要的使用者再觸發 API。今天不會。
AI 修復提示 — Docs · FixVibe