fixlisted

# Patch generation + PoC⁺ validation Turn the repo's confirmed/proven findings into **validated** fixes. Requires findings at `confirmed`/`proven` in `.kuzushi/findings.json` — run `/verify` (and `/poc` for empirical harnesses) first. **PoC⁺ moat:** a patch is `validated` only when it stops the existing PoC harness, passes a functional/regression check, and passes the semantic oracle check for supported CWEs. Validation runs against a **sandbox copy** — your working tree is never modified until you explicitly approve the apply step. 1. Run `node "${CLAUDE_PLUGIN_ROOT}/scripts/cmd/fix-prepare.mjs" --target "<repo root>"` (optionally `--input '{"maxCandidates":8}'`). If there are no fixable findings, tell the user to run `/verify` and `/poc` first, and stop. Read the prep's `prepPath`. 2. For **each** candidate, root-cause the bug and write a **minimal defensive unified diff** + a `functionalCheck`, using each candidate's `findingFingerprint` verbatim. If the candidate has `semanticOracle`, also write a runnable `semanticCheck` that exercises its positive/negative controls; supported CWE fixes are not `validated` without that semantic check. Set `harnessLinkage` honestly. Write the `{ candidates: [...] }` bundle to the prep's `draftPath`. Write only under the run dir — never edit application code here. 3. Run the `assembleCommand` (finalize). It applies each diff to a sandbox copy, re-runs the PoC (expecting NO crash), runs the functional check, runs