patchlisted

# patch Third leg of the static pipeline (`/vuln-scan` → `/triage` → `/patch`). Turns a ranked list of verified findings into candidate diffs. The skill **never applies a diff** to the target repo. Output is inert text in `./PATCHES/` for a human to review and apply out-of-band — see § "Reviewing generated patches" at the end of this file. There is no `--apply` or `--approve` flag by design: the capability isn't present, so it can't be prompt-injected into use. Invoke with `/patch <findings-path> [--repo PATH] [--top N] [--id fNNN] [--model M] [--fresh]`. **Arguments** (parse from `$ARGUMENTS`): - findings path (first positional, required): `TRIAGE.json`, `VULN-FINDINGS.json`, a pipeline `results/<target>/<ts>/` directory, or any JSON the `/triage` ingest table recognizes. - `--repo PATH`: target codebase, read-only (default cwd). Required for static mode; the skill stops if cited files don't resolve under it. - `--top N`: patch only the N highest-severity true positives (static mode). - `--id fNNN`: patch only the finding with this id. - `--model M`: passed through to `vuln-pipeline patch` in execution-verified mode. Ignored in static mode (subagents inherit the orchestrator's model). - `--fresh`: ignore `./.patch-state/` checkpoint and start over. **Tools.** Prefer Read, Glob, Grep, Write, Task. Some sessions do not provision Glob or Grep; `allowed-tools` is a permission filter, not a loader. When they are unavailable, fall back to the read-only Bash commands w