Findings aren't fixes
A scanner that says 'your S3 bucket is public' is half the job. The other half is: what's the safe fix? Can it be rolled back? How will we verify it? Who has to approve it? What audit record gets written?
The full bundle
Every Axiom remediation candidate ships with: a Terraform preview that you can review locally, a CLI preview (aws/az/gcloud/gh) with dry-run availability and required permissions, a rollback plan with complexity classification + data-loss/downtime risk, a verification checklist with concrete expected-state lines, and an execution-readiness decision that maps to the orchestration state machine.
Honest manual-review fallback
When the generator can't safely express a remediation as Terraform — e.g. a remediation requires customer-specific CIDR ranges, or a key rotation that touches dependent systems — the bundle is honestly labelled manualReviewRequired: true rather than fabricating fake HCL. No fake fixes.
Built on the digital twin
Every candidate runs through the simulation center before approval can advance the orchestration. The twin computes blast radius (3-hop BFS over recorded dependencies), risk delta, and field-level diff with forbidden-key redaction. The simulation result is the evidence the approver sees.