getdoorman 1.0.0

package/src/detector.js

@@ -0,0 +1,142 @@
+import { readFileSync, existsSync } from 'fs';
+import { join } from 'path';
+
+/**
+ * Auto-detect the project's technology stack by examining files.
+ */
+export async function detectStack(targetPath) {
+  const stack = {
+    language: null,
+    framework: null,
+    runtime: null,
+    orm: null,
+    database: null,
+    hasDocker: false,
+    hasCI: false,
+    hasTypescript: false,
+    hasTests: false,
+    packageManager: null,
+    dependencies: {},
+    devDependencies: {},
+  };
+
+  // Check package.json (Node.js ecosystem)
+  const pkgPath = join(targetPath, 'package.json');
+  if (existsSync(pkgPath)) {
+    try {
+      const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8'));
+      stack.language = 'javascript';
+      stack.runtime = 'node';
+      stack.dependencies = pkg.dependencies || {};
+      stack.devDependencies = pkg.devDependencies || {};
+      const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+
+      // Detect framework
+      if (allDeps['next']) stack.framework = 'nextjs';
+      else if (allDeps['nuxt']) stack.framework = 'nuxt';
+      else if (allDeps['express']) stack.framework = 'express';
+      else if (allDeps['fastify']) stack.framework = 'fastify';
+      else if (allDeps['hono']) stack.framework = 'hono';
+      else if (allDeps['koa']) stack.framework = 'koa';
+      else if (allDeps['@remix-run/node']) stack.framework = 'remix';
+      else if (allDeps['svelte'] || allDeps['@sveltejs/kit']) stack.framework = 'sveltekit';
+      else if (allDeps['astro']) stack.framework = 'astro';
+      else if (allDeps['react']) stack.framework = 'react';
+      else if (allDeps['vue']) stack.framework = 'vue';
+
+      // Detect ORM
+      if (allDeps['prisma'] || allDeps['@prisma/client']) stack.orm = 'prisma';
+      else if (allDeps['drizzle-orm']) stack.orm = 'drizzle';
+      else if (allDeps['typeorm']) stack.orm = 'typeorm';
+      else if (allDeps['sequelize']) stack.orm = 'sequelize';
+      else if (allDeps['mongoose']) { stack.orm = 'mongoose'; stack.database = 'mongodb'; }
+      else if (allDeps['knex']) stack.orm = 'knex';
+
+      // Detect database
+      if (allDeps['pg'] || allDeps['@supabase/supabase-js']) stack.database = 'postgresql';
+      else if (allDeps['mysql2'] || allDeps['mysql']) stack.database = 'mysql';
+      else if (allDeps['better-sqlite3'] || allDeps['sqlite3']) stack.database = 'sqlite';
+      else if (allDeps['redis'] || allDeps['ioredis']) stack.database = stack.database || 'redis';
+
+      // Detect package manager
+      if (existsSync(join(targetPath, 'pnpm-lock.yaml'))) stack.packageManager = 'pnpm';
+      else if (existsSync(join(targetPath, 'yarn.lock'))) stack.packageManager = 'yarn';
+      else if (existsSync(join(targetPath, 'bun.lockb'))) stack.packageManager = 'bun';
+      else stack.packageManager = 'npm';
+
+    } catch (e) { /* ignore parse errors */ }
+  }
+
+  // Check Python
+  if (existsSync(join(targetPath, 'requirements.txt')) || existsSync(join(targetPath, 'pyproject.toml'))) {
+    stack.language = stack.language || 'python';
+    stack.runtime = 'python';
+    // Try to detect Django/Flask/FastAPI from requirements
+    try {
+      const reqFile = existsSync(join(targetPath, 'requirements.txt'))
+        ? readFileSync(join(targetPath, 'requirements.txt'), 'utf-8')
+        : '';
+      if (reqFile.includes('django')) stack.framework = 'django';
+      else if (reqFile.includes('fastapi')) stack.framework = 'fastapi';
+      else if (reqFile.includes('flask')) stack.framework = 'flask';
+    } catch (e) { /* ignore */ }
+  }
+
+  // Check Ruby
+  if (existsSync(join(targetPath, 'Gemfile'))) {
+    stack.language = stack.language || 'ruby';
+    stack.runtime = 'ruby';
+    try {
+      const gemfile = readFileSync(join(targetPath, 'Gemfile'), 'utf-8');
+      if (gemfile.includes('rails')) stack.framework = 'rails';
+      else if (gemfile.includes('sinatra')) stack.framework = 'sinatra';
+    } catch (e) { /* ignore */ }
+  }
+
+  // Check Go
+  if (existsSync(join(targetPath, 'go.mod'))) {
+    stack.language = stack.language || 'go';
+    stack.runtime = 'go';
+  }
+
+  // TypeScript
+  if (existsSync(join(targetPath, 'tsconfig.json'))) {
+    stack.hasTypescript = true;
+  }
+
+  // Docker
+  if (existsSync(join(targetPath, 'Dockerfile')) || existsSync(join(targetPath, 'docker-compose.yml')) || existsSync(join(targetPath, 'docker-compose.yaml'))) {
+    stack.hasDocker = true;
+  }
+
+  // CI/CD
+  if (existsSync(join(targetPath, '.github/workflows')) || existsSync(join(targetPath, '.gitlab-ci.yml')) || existsSync(join(targetPath, '.circleci'))) {
+    stack.hasCI = true;
+  }
+
+  // Tests
+  if (existsSync(join(targetPath, 'test')) || existsSync(join(targetPath, 'tests')) || existsSync(join(targetPath, '__tests__')) || existsSync(join(targetPath, 'spec'))) {
+    stack.hasTests = true;
+  }
+
+  // Detect library vs application
+  // A library typically: has `main` or `exports` in package.json, no `start` script,
+  // and the package name doesn't suggest it's an app
+  stack.isLibrary = false;
+  if (existsSync(pkgPath)) {
+    try {
+      const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8'));
+      const hasEntry = !!(pkg.main || pkg.exports || pkg.module || pkg.files || existsSync(join(targetPath, 'index.js')));
+      const hasStart = !!(pkg.scripts?.start || pkg.scripts?.serve || pkg.scripts?.dev);
+      const isPrivate = !!pkg.private;
+      const isPublished = !!(pkg.name && pkg.version && !isPrivate);
+      // Libraries: have an entry point, are published to npm, and don't have a start script
+      // Apps: are private and/or have a start script
+      if (hasEntry && isPublished && !hasStart) {
+        stack.isLibrary = true;
+      }
+    } catch (e) { /* ignore */ }
+  }
+
+  return stack;
+}

package/src/fix-engine.js

@@ -0,0 +1,48 @@
+/**
+ * Data-driven fix engine. Each fix is a compact entry:
+ *   { id, match: RegExp, replace: string|fn, lang: string, tier: 1|2, title: string, safe?: boolean }
+ *
+ * safe: true  = deterministic, low-risk (direct replacements like md5→sha256)
+ * safe: false = may need review (adds comments, restructures code)
+ * tier 1 fixes are generally safe; tier 2 may need review.
+ */
+
+export function applyRegistryFix(content, entry) {
+  if (!entry.match || !entry.replace) return null;
+  const modified = content.replace(entry.match, entry.replace);
+  return modified !== content ? modified : null;
+}
+
+export function applyAllRegistryFixes(content, filePath, entries) {
+  let current = content;
+  const applied = [];
+  for (const entry of entries) {
+    // Filter by language/file extension
+    if (entry.lang && !matchesLang(filePath, entry.lang)) continue;
+    const result = applyRegistryFix(current, entry);
+    if (result) {
+      current = result;
+      applied.push(entry);
+    }
+  }
+  return { content: current, applied };
+}
+
+function matchesLang(filePath, lang) {
+  const extMap = {
+    js: /\.(js|jsx|ts|tsx|mjs|cjs)$/i,
+    py: /\.(py|pyw)$/i,
+    go: /\.go$/i,
+    rust: /\.rs$/i,
+    java: /\.java$/i,
+    csharp: /\.(cs|csx)$/i,
+    ruby: /\.(rb|rake|gemspec)$/i,
+    php: /\.(php|phtml)$/i,
+    shell: /\.(sh|bash|zsh|ksh)$/i,
+    swift: /\.swift$/i,
+    dart: /\.dart$/i,
+    any: /./,
+  };
+  const re = extMap[lang] || extMap.any;
+  return re.test(filePath);
+}

package/src/fix-registry-extra.js

@@ -0,0 +1,95 @@
+// Extra fixes: Swift, Dart, Shell, Infrastructure, Docker, CI/CD (80 entries)
+const fixes = [
+  // --- Swift (1-15) ---
+  { id: 'rfx-swift-001', match: /NSLog\(.*password/gi, replace: '/* SECURITY: do not log passwords */', lang: 'swift', tier: 1, title: 'Remove password from NSLog' },
+  { id: 'rfx-swift-002', match: /NSLog\(.*token/gi, replace: '/* SECURITY: do not log tokens */', lang: 'swift', tier: 1, title: 'Remove token from NSLog' },
+  { id: 'rfx-swift-003', match: /print\(.*password/gi, replace: '/* SECURITY: do not print passwords */', lang: 'swift', tier: 1, title: 'Remove password from print' },
+  { id: 'rfx-swift-004', match: /UserDefaults\.standard\.set\(.*(?:password|token|secret)/gi, replace: (m) => `/* SECURITY: use Keychain, not UserDefaults for secrets */ ${m}`, lang: 'swift', tier: 2, title: 'Use Keychain instead of UserDefaults for secrets' },
+  { id: 'rfx-swift-005', match: /allowsArbitraryLoads.*true/g, replace: '/* SECURITY: disable ATS bypass */ allowsArbitraryLoads: false', lang: 'swift', tier: 1, title: 'Disable App Transport Security bypass' },
+  { id: 'rfx-swift-006', match: /CC_MD5\(/g, replace: 'CC_SHA256(', lang: 'swift', tier: 1, title: 'Replace MD5 with SHA-256 in Swift' },
+  { id: 'rfx-swift-007', match: /\.serverTrust\s*!\s*$/gm, replace: '/* SECURITY: validate server trust properly */ .serverTrust', lang: 'swift', tier: 2, title: 'Flag force-unwrapped server trust' },
+  { id: 'rfx-swift-008', match: /URLSession\.shared/g, replace: '/* consider custom URLSession with timeout config */ URLSession.shared', lang: 'swift', tier: 2, title: 'Use custom URLSession with timeout' },
+  { id: 'rfx-swift-009', match: /kSecAttrAccessibleAlways\b/g, replace: 'kSecAttrAccessibleWhenUnlockedThisDeviceOnly', lang: 'swift', tier: 1, title: 'Restrict Keychain accessibility' },
+  { id: 'rfx-swift-010', match: /canEvaluatePolicy.*\.deviceOwnerAuthentication(?!WithBiometrics)/g, replace: (m) => m.replace('deviceOwnerAuthentication', 'deviceOwnerAuthenticationWithBiometrics'), lang: 'swift', tier: 1, title: 'Require biometrics, not just passcode' },
+  { id: 'rfx-swift-011', match: /try!\s/g, replace: '/* avoid force try */ try ', lang: 'swift', tier: 1, title: 'Replace force try with proper error handling' },
+  { id: 'rfx-swift-012', match: /as!\s/g, replace: '/* avoid force cast */ as? ', lang: 'swift', tier: 1, title: 'Replace force cast with optional cast' },
+  { id: 'rfx-swift-013', match: /\.validate\(\s*false\s*\)/g, replace: '.validate(true)', lang: 'swift', tier: 1, title: 'Enable SSL validation in Swift' },
+  { id: 'rfx-swift-014', match: /UIPasteboard\.general\.string\s*=.*(?:password|token|secret)/gi, replace: '/* SECURITY: do not copy secrets to pasteboard */', lang: 'swift', tier: 1, title: 'Prevent secrets on pasteboard' },
+  { id: 'rfx-swift-015', match: /isSecureTextEntry\s*=\s*false/g, replace: 'isSecureTextEntry = true', lang: 'swift', tier: 1, title: 'Enable secure text entry for password fields' },
+
+  // --- Dart/Flutter (16-30) ---
+  { id: 'rfx-dart-001', match: /print\(.*password/gi, replace: '/* SECURITY: do not print passwords */', lang: 'dart', tier: 1, title: 'Remove password from print' },
+  { id: 'rfx-dart-002', match: /print\(.*token/gi, replace: '/* SECURITY: do not print tokens */', lang: 'dart', tier: 1, title: 'Remove token from print' },
+  { id: 'rfx-dart-003', match: /SharedPreferences.*(?:password|token|secret|apiKey)/gi, replace: (m) => `/* SECURITY: use flutter_secure_storage, not SharedPreferences */ ${m}`, lang: 'dart', tier: 2, title: 'Use secure storage for secrets in Dart' },
+  { id: 'rfx-dart-004', match: /HttpClient\(\)\.badCertificateCallback\s*=\s*\([^)]*\)\s*=>\s*true/g, replace: '/* SECURITY: do not bypass cert validation */ HttpClient().badCertificateCallback = (cert, host, port) => false', lang: 'dart', tier: 1, title: 'Enable certificate validation in Dart' },
+  { id: 'rfx-dart-005', match: /md5\.convert\(/g, replace: 'sha256.convert(', lang: 'dart', tier: 1, title: 'Replace MD5 with SHA-256 in Dart' },
+  { id: 'rfx-dart-006', match: /sha1\.convert\(/g, replace: 'sha256.convert(', lang: 'dart', tier: 1, title: 'Replace SHA-1 with SHA-256 in Dart' },
+  { id: 'rfx-dart-007', match: /Random\(\)/g, replace: 'Random.secure()', lang: 'dart', tier: 1, title: 'Use Random.secure() in Dart' },
+  { id: 'rfx-dart-008', match: /debugPrint\(.*(?:password|token|secret)/gi, replace: '/* SECURITY: do not debug-print secrets */', lang: 'dart', tier: 1, title: 'Remove secrets from debugPrint' },
+  { id: 'rfx-dart-009', match: /assert\(.*(?:isLoggedIn|authenticated)/gi, replace: (m) => `/* use proper auth check, not assert (stripped in release) */ ${m}`, lang: 'dart', tier: 2, title: 'Replace auth assert with proper check' },
+  { id: 'rfx-dart-010', match: /kDebugMode.*true/g, replace: 'kDebugMode /* already controlled by build mode */', lang: 'dart', tier: 1, title: 'Confirm debug mode usage' },
+  { id: 'rfx-dart-011', match: /\.allowAutoSignedCert\s*=\s*true/g, replace: '.allowAutoSignedCert = false', lang: 'dart', tier: 1, title: 'Disable auto-signed certs in Dart' },
+  { id: 'rfx-dart-012', match: /WebView\(.*javascriptMode:\s*JavascriptMode\.unrestricted/g, replace: (m) => `/* SECURITY: restrict JS in WebView */ ${m.replace('unrestricted', 'disabled')}`, lang: 'dart', tier: 1, title: 'Restrict JavaScript in Dart WebView' },
+  { id: 'rfx-dart-013', match: /html:\s*['"]<script/gi, replace: (m) => `/* SECURITY: XSS in WebView */ ${m}`, lang: 'dart', tier: 2, title: 'Flag XSS in Dart WebView HTML' },
+  { id: 'rfx-dart-014', match: /Uri\.parse\(\s*(?:input|userInput|data)/g, replace: '/* SECURITY: validate URL */ Uri.parse(input', lang: 'dart', tier: 2, title: 'Validate user URL input in Dart' },
+  { id: 'rfx-dart-015', match: /Process\.run\(\s*['"]sh['"]\s*,\s*\['-c'/g, replace: '/* SECURITY: command injection risk */ Process.run("sh", ["-c"', lang: 'dart', tier: 2, title: 'Flag shell execution in Dart' },
+
+  // --- Shell (31-45) ---
+  { id: 'rfx-sh-001', match: /curl\s+[^|]*\|\s*(?:ba)?sh/g, replace: '/* SECURITY: pipe-to-shell is dangerous — download, verify, then run */', lang: 'shell', tier: 2, title: 'Flag curl pipe to shell' },
+  { id: 'rfx-sh-002', match: /wget\s+[^|]*\|\s*(?:ba)?sh/g, replace: '/* SECURITY: pipe-to-shell is dangerous */', lang: 'shell', tier: 2, title: 'Flag wget pipe to shell' },
+  { id: 'rfx-sh-003', match: /chmod\s+777\b/g, replace: 'chmod 755', lang: 'shell', tier: 1, title: 'Reduce permissions from 777 to 755' },
+  { id: 'rfx-sh-004', match: /chmod\s+666\b/g, replace: 'chmod 644', lang: 'shell', tier: 1, title: 'Reduce permissions from 666 to 644' },
+  { id: 'rfx-sh-005', match: /eval\s+"\$\{?\w+\}?"/g, replace: '/* SECURITY: eval with variables is injection risk */', lang: 'shell', tier: 2, title: 'Flag eval with variables in shell' },
+  { id: 'rfx-sh-006', match: /^\s*#!/gm, replace: '#!/', lang: 'shell', tier: 1, title: 'Normalize shebang' },
+  { id: 'rfx-sh-007', match: /rm\s+-rf\s+\/(?!\w)/g, replace: '/* DANGER: rm -rf / — BLOCKED */', lang: 'shell', tier: 1, title: 'Block rm -rf /' },
+  { id: 'rfx-sh-008', match: /rm\s+-rf\s+"\$\{?\w*\}?\/"/g, replace: (m) => `/* SECURITY: validate variable before rm -rf */ ${m}`, lang: 'shell', tier: 2, title: 'Flag rm -rf with variable path' },
+  { id: 'rfx-sh-009', match: /mktemp\s+\/tmp\/\w+/g, replace: 'mktemp /tmp/XXXXXXXX', lang: 'shell', tier: 1, title: 'Use random suffix in mktemp' },
+  { id: 'rfx-sh-010', match: /echo\s+.*password/gi, replace: '# SECURITY: do not echo passwords', lang: 'shell', tier: 1, title: 'Remove password echo in shell' },
+  { id: 'rfx-sh-011', match: /echo\s+.*(?:SECRET|TOKEN|API_KEY)\s*=/gi, replace: '# SECURITY: do not echo secrets', lang: 'shell', tier: 1, title: 'Remove secret echo in shell' },
+  { id: 'rfx-sh-012', match: /scp\s+-o\s+StrictHostKeyChecking=no/g, replace: 'scp -o StrictHostKeyChecking=yes', lang: 'shell', tier: 1, title: 'Enable SSH host key checking' },
+  { id: 'rfx-sh-013', match: /ssh\s+-o\s+StrictHostKeyChecking=no/g, replace: 'ssh -o StrictHostKeyChecking=yes', lang: 'shell', tier: 1, title: 'Enable SSH host key checking' },
+  { id: 'rfx-sh-014', match: /tar\s+.*--absolute-names/g, replace: (m) => `/* SECURITY: absolute paths in tar can overwrite system files */ ${m}`, lang: 'shell', tier: 2, title: 'Flag tar with absolute names' },
+  { id: 'rfx-sh-015', match: /nc\s+-l.*-e\s/g, replace: '/* SECURITY: netcat reverse shell pattern */', lang: 'shell', tier: 2, title: 'Flag netcat reverse shell' },
+
+  // --- Docker (46-60) ---
+  { id: 'rfx-docker-001', match: /FROM\s+\S+:latest/g, replace: (m) => m.replace(':latest', ':specific-version /* pin image version */'), lang: 'any', tier: 1, title: 'Pin Docker base image version' },
+  { id: 'rfx-docker-002', match: /USER\s+root/g, replace: 'USER nonroot', lang: 'any', tier: 1, title: 'Run Docker container as non-root' },
+  { id: 'rfx-docker-003', match: /--privileged/g, replace: '/* SECURITY: avoid --privileged */ --cap-add=SPECIFIC_CAP', lang: 'any', tier: 2, title: 'Remove Docker privileged flag' },
+  { id: 'rfx-docker-004', match: /EXPOSE\s+22\b/g, replace: '# SECURITY: do not expose SSH in container\n# EXPOSE 22', lang: 'any', tier: 1, title: 'Remove SSH port exposure in Docker' },
+  { id: 'rfx-docker-005', match: /ENV\s+(?:PASSWORD|SECRET|API_KEY|TOKEN)\s*=\s*\S+/gi, replace: '# SECURITY: use --env-file or secrets, not ENV for secrets', lang: 'any', tier: 1, title: 'Remove hardcoded secrets from Dockerfile ENV' },
+  { id: 'rfx-docker-006', match: /ADD\s+https?:/g, replace: '# SECURITY: use COPY + curl with checksum instead of ADD\nADD https:', lang: 'any', tier: 2, title: 'Replace Docker ADD URL with COPY' },
+  { id: 'rfx-docker-007', match: /apt-get\s+install(?![^&]*--no-install-recommends)/g, replace: 'apt-get install --no-install-recommends', lang: 'any', tier: 1, title: 'Add --no-install-recommends to apt-get' },
+  { id: 'rfx-docker-008', match: /COPY\s+\.\s+\./g, replace: '# Use .dockerignore to exclude secrets\nCOPY . .', lang: 'any', tier: 2, title: 'Flag COPY . . without .dockerignore note' },
+  { id: 'rfx-docker-009', match: /--security-opt\s+seccomp=unconfined/g, replace: '/* SECURITY: do not disable seccomp */', lang: 'any', tier: 2, title: 'Remove seccomp disable' },
+  { id: 'rfx-docker-010', match: /--net=host/g, replace: '/* SECURITY: avoid host networking */ --net=bridge', lang: 'any', tier: 1, title: 'Replace Docker host networking with bridge' },
+  { id: 'rfx-docker-011', match: /HEALTHCHECK\s+NONE/g, replace: 'HEALTHCHECK CMD curl -f http://localhost/ || exit 1', lang: 'any', tier: 1, title: 'Add Docker health check' },
+  { id: 'rfx-docker-012', match: /volumes:\s*\n\s*-\s*\/:/gm, replace: '# SECURITY: do not mount root filesystem\nvolumes:\n  - /app:', lang: 'any', tier: 2, title: 'Restrict Docker volume mount' },
+  { id: 'rfx-docker-013', match: /cap_add:\s*\n\s*-\s*ALL/gm, replace: '# SECURITY: add only needed capabilities\ncap_add:\n  - NET_BIND_SERVICE', lang: 'any', tier: 1, title: 'Restrict Docker capabilities' },
+  { id: 'rfx-docker-014', match: /read_only:\s*false/g, replace: 'read_only: true', lang: 'any', tier: 1, title: 'Enable Docker read-only filesystem' },
+  { id: 'rfx-docker-015', match: /pids_limit:\s*-1/g, replace: 'pids_limit: 100', lang: 'any', tier: 1, title: 'Set Docker PID limit' },
+
+  // --- CI/CD (61-75) ---
+  { id: 'rfx-ci-001', match: /permissions:\s*write-all/g, replace: 'permissions: read-all', lang: 'any', tier: 1, title: 'Restrict CI permissions from write-all' },
+  { id: 'rfx-ci-002', match: /actions\/checkout@v[12]\b/g, replace: 'actions/checkout@v4', lang: 'any', tier: 1, title: 'Upgrade actions/checkout to v4' },
+  { id: 'rfx-ci-003', match: /echo\s+.*\$\{\{\s*secrets\./g, replace: '# SECURITY: do not echo secrets in CI logs', lang: 'any', tier: 1, title: 'Remove secret echoing in CI' },
+  { id: 'rfx-ci-004', match: /\$\{\{\s*github\.event\.issue\.body\s*\}\}/g, replace: '/* SECURITY: user-controlled input — sanitize */', lang: 'any', tier: 2, title: 'Flag unsanitized GitHub event body' },
+  { id: 'rfx-ci-005', match: /\$\{\{\s*github\.event\.pull_request\.title\s*\}\}/g, replace: '/* SECURITY: user-controlled input — sanitize */', lang: 'any', tier: 2, title: 'Flag unsanitized PR title in CI' },
+  { id: 'rfx-ci-006', match: /npm\s+publish(?!\s+--dry-run)/g, replace: 'npm publish --provenance', lang: 'any', tier: 1, title: 'Add provenance to npm publish' },
+  { id: 'rfx-ci-007', match: /pip\s+install(?!\s+--require-hashes)/g, replace: (m) => `${m} /* consider --require-hashes */`, lang: 'any', tier: 2, title: 'Suggest pip --require-hashes' },
+  { id: 'rfx-ci-008', match: /continue-on-error:\s*true/g, replace: '# review: continue-on-error may hide failures\ncontinue-on-error: true', lang: 'any', tier: 2, title: 'Flag continue-on-error in CI' },
+  { id: 'rfx-ci-009', match: /if:\s*always\(\)/g, replace: 'if: always() # ensure this is intentional', lang: 'any', tier: 2, title: 'Flag always() condition in CI' },
+  { id: 'rfx-ci-010', match: /runs-on:\s*self-hosted(?!\s*#)/g, replace: 'runs-on: self-hosted # ensure runner is hardened', lang: 'any', tier: 2, title: 'Note self-hosted runner security' },
+  { id: 'rfx-ci-011', match: /ACTIONS_ALLOW_UNSECURE_COMMANDS.*true/g, replace: '# SECURITY: do not allow unsecure commands\n# ACTIONS_ALLOW_UNSECURE_COMMANDS: true', lang: 'any', tier: 1, title: 'Disable unsecure CI commands' },
+  { id: 'rfx-ci-012', match: /npm_token.*\$\{\{\s*secrets/gi, replace: (m) => m, lang: 'any', tier: 1, title: 'Confirm NPM token from secrets (ok)' },
+  { id: 'rfx-ci-013', match: /--no-verify/g, replace: '/* avoid --no-verify — hooks exist for a reason */', lang: 'any', tier: 2, title: 'Flag --no-verify in CI' },
+  { id: 'rfx-ci-014', match: /git push --force/g, replace: '/* SECURITY: avoid force push */ git push', lang: 'any', tier: 2, title: 'Flag force push in CI' },
+  { id: 'rfx-ci-015', match: /curl\s+.*\|\s*(?:ba)?sh/g, replace: '# SECURITY: download, verify checksum, then execute', lang: 'any', tier: 2, title: 'Flag curl-pipe-to-shell in CI' },
+
+  // --- Terraform/IaC (76-80) ---
+  { id: 'rfx-iac-001', match: /ingress\s*\{[^}]*cidr_blocks\s*=\s*\[\s*"0\.0\.0\.0\/0"\s*\]/g, replace: (m) => m.replace('0.0.0.0/0', '10.0.0.0/8 /* restrict CIDR */'), lang: 'any', tier: 1, title: 'Restrict Terraform ingress CIDR' },
+  { id: 'rfx-iac-002', match: /acl\s*=\s*"public-read"/g, replace: 'acl = "private"', lang: 'any', tier: 1, title: 'Set S3 bucket to private' },
+  { id: 'rfx-iac-003', match: /encrypted\s*=\s*false/g, replace: 'encrypted = true', lang: 'any', tier: 1, title: 'Enable encryption in Terraform' },
+  { id: 'rfx-iac-004', match: /publicly_accessible\s*=\s*true/g, replace: 'publicly_accessible = false', lang: 'any', tier: 1, title: 'Disable public access in Terraform' },
+  { id: 'rfx-iac-005', match: /versioning\s*\{[^}]*enabled\s*=\s*false/g, replace: (m) => m.replace('enabled = false', 'enabled = true'), lang: 'any', tier: 1, title: 'Enable S3 versioning' },
+];
+export default fixes;

package/src/fix-registry-go-rust.js

@@ -0,0 +1,77 @@
+// Data-driven Go + Rust auto-fixes (70 entries: 35 Go + 35 Rust)
+const fixes = [
+  // --- Go (1-35) ---
+  { id: 'rfx-go-001', match: /fmt\.Sprintf\("SELECT\s+[^"]*%s/g, replace: (m) => `/* SECURITY: use parameterized query */ ${m}`, lang: 'go', tier: 2, title: 'Flag Go SQL string formatting' },
+  { id: 'rfx-go-002', match: /fmt\.Sprintf\("INSERT\s+[^"]*%s/g, replace: (m) => `/* SECURITY: use parameterized query */ ${m}`, lang: 'go', tier: 2, title: 'Flag Go SQL INSERT formatting' },
+  { id: 'rfx-go-003', match: /fmt\.Sprintf\("UPDATE\s+[^"]*%s/g, replace: (m) => `/* SECURITY: use parameterized query */ ${m}`, lang: 'go', tier: 2, title: 'Flag Go SQL UPDATE formatting' },
+  { id: 'rfx-go-004', match: /fmt\.Sprintf\("DELETE\s+[^"]*%s/g, replace: (m) => `/* SECURITY: use parameterized query */ ${m}`, lang: 'go', tier: 2, title: 'Flag Go SQL DELETE formatting' },
+  { id: 'rfx-go-005', match: /exec\.Command\(\s*fmt\.Sprintf/g, replace: '/* SECURITY: command injection risk */ exec.Command(fmt.Sprintf', lang: 'go', tier: 2, title: 'Flag Go command injection' },
+  { id: 'rfx-go-006', match: /exec\.Command\(\s*"sh"\s*,\s*"-c"\s*,/g, replace: '/* SECURITY: avoid sh -c — use direct exec */ exec.Command("sh", "-c",', lang: 'go', tier: 2, title: 'Flag shell execution in Go' },
+  { id: 'rfx-go-007', match: /filepath\.Join\(\s*\w+\s*,\s*r\.(?:URL\.Query|FormValue|PostFormValue)/g, replace: (m) => `/* SECURITY: path traversal — validate input */ ${m}`, lang: 'go', tier: 2, title: 'Flag path traversal in Go' },
+  { id: 'rfx-go-008', match: /tls\.Config\{[^}]*MinVersion:\s*tls\.VersionTLS1[01]/g, replace: (m) => m.replace(/MinVersion:\s*tls\.VersionTLS1[01]/, 'MinVersion: tls.VersionTLS12'), lang: 'go', tier: 1, title: 'Upgrade Go TLS minimum to 1.2' },
+  { id: 'rfx-go-009', match: /tls\.Config\{[^}]*InsecureSkipVerify:\s*true/g, replace: (m) => m.replace('InsecureSkipVerify: true', 'InsecureSkipVerify: false'), lang: 'go', tier: 1, title: 'Enable TLS verification in Go' },
+  { id: 'rfx-go-010', match: /md5\.Sum\(/g, replace: 'sha256.Sum256(', lang: 'go', tier: 1, title: 'Replace Go MD5 with SHA-256' },
+  { id: 'rfx-go-011', match: /sha1\.Sum\(/g, replace: 'sha256.Sum256(', lang: 'go', tier: 1, title: 'Replace Go SHA-1 with SHA-256' },
+  { id: 'rfx-go-012', match: /md5\.New\(\)/g, replace: 'sha256.New()', lang: 'go', tier: 1, title: 'Replace Go md5.New with sha256.New' },
+  { id: 'rfx-go-013', match: /math\/rand/g, replace: 'crypto/rand', lang: 'go', tier: 1, title: 'Replace math/rand with crypto/rand' },
+  { id: 'rfx-go-014', match: /rand\.Intn\(/g, replace: '/* SECURITY: use crypto/rand for security */ rand.Intn(', lang: 'go', tier: 2, title: 'Flag math/rand for security use' },
+  { id: 'rfx-go-015', match: /http\.ListenAndServe\(/g, replace: 'http.ListenAndServeTLS(', lang: 'go', tier: 2, title: 'Suggest HTTPS in Go server' },
+  { id: 'rfx-go-016', match: /\bdefer\s+rows\.Close\(\)/g, replace: 'defer rows.Close()', lang: 'go', tier: 1, title: 'Confirm deferred rows.Close' },
+  { id: 'rfx-go-017', match: /http\.Client\{\s*\}/g, replace: 'http.Client{Timeout: 30 * time.Second}', lang: 'go', tier: 1, title: 'Add timeout to Go HTTP client' },
+  { id: 'rfx-go-018', match: /http\.DefaultClient/g, replace: '&http.Client{Timeout: 30 * time.Second}', lang: 'go', tier: 1, title: 'Replace DefaultClient with timeout client' },
+  { id: 'rfx-go-019', match: /os\.Getenv\("(PASSWORD|SECRET|API_KEY|TOKEN)"\)/g, replace: (m, key) => `os.Getenv("${key}") /* ensure set in environment */`, lang: 'go', tier: 1, title: 'Note env var dependency for secrets' },
+  { id: 'rfx-go-020', match: /template\.New\(/g, replace: '/* Use html/template for web output */ template.New(', lang: 'go', tier: 2, title: 'Suggest html/template over text/template' },
+  { id: 'rfx-go-021', match: /text\/template/g, replace: 'html/template', lang: 'go', tier: 1, title: 'Replace text/template with html/template' },
+  { id: 'rfx-go-022', match: /w\.Header\(\)\.Set\("Access-Control-Allow-Origin",\s*"\*"\)/g, replace: 'w.Header().Set("Access-Control-Allow-Origin", os.Getenv("ALLOWED_ORIGIN"))', lang: 'go', tier: 1, title: 'Restrict Go CORS wildcard' },
+  { id: 'rfx-go-023', match: /os\.MkdirAll\([^,]+,\s*0o?777\)/g, replace: (m) => m.replace(/0o?777/, '0o755'), lang: 'go', tier: 1, title: 'Reduce Go directory permissions' },
+  { id: 'rfx-go-024', match: /os\.WriteFile\([^,]+,\s*[^,]+,\s*0o?666\)/g, replace: (m) => m.replace(/0o?666/, '0o644'), lang: 'go', tier: 1, title: 'Reduce Go file permissions' },
+  { id: 'rfx-go-025', match: /log\.Printf?\(.*password/gi, replace: (m) => m.replace(/password\w*/gi, '"[REDACTED]"'), lang: 'go', tier: 1, title: 'Redact passwords in Go logs' },
+  { id: 'rfx-go-026', match: /log\.Printf?\(.*token/gi, replace: (m) => m.replace(/token\w*/gi, '"[REDACTED]"'), lang: 'go', tier: 1, title: 'Redact tokens in Go logs' },
+  { id: 'rfx-go-027', match: /http\.Redirect\(\s*w\s*,\s*r\s*,\s*r\.(URL\.Query|FormValue)/g, replace: (m) => `/* SECURITY: open redirect risk */ ${m}`, lang: 'go', tier: 2, title: 'Flag Go open redirect' },
+  { id: 'rfx-go-028', match: /json\.NewDecoder\(r\.Body\)\.Decode/g, replace: '/* limit request body size */ json.NewDecoder(io.LimitReader(r.Body, 1048576)).Decode', lang: 'go', tier: 1, title: 'Limit request body size in Go' },
+  { id: 'rfx-go-029', match: /http\.HandleFunc\(/g, replace: 'http.HandleFunc( /* ensure auth middleware */', lang: 'go', tier: 2, title: 'Remind about auth middleware' },
+  { id: 'rfx-go-030', match: /ioutil\.ReadFile\(\s*r\.(URL|FormValue)/g, replace: (m) => `/* SECURITY: path traversal risk */ ${m}`, lang: 'go', tier: 2, title: 'Flag file read with user input' },
+  { id: 'rfx-go-031', match: /des\./g, replace: '/* SECURITY: DES is broken — use AES */ des.', lang: 'go', tier: 2, title: 'Flag DES usage in Go' },
+  { id: 'rfx-go-032', match: /rc4\./g, replace: '/* SECURITY: RC4 is broken — use AES */ rc4.', lang: 'go', tier: 2, title: 'Flag RC4 usage in Go' },
+  { id: 'rfx-go-033', match: /gin\.SetMode\(\s*gin\.DebugMode\s*\)/g, replace: 'gin.SetMode(gin.ReleaseMode)', lang: 'go', tier: 1, title: 'Set Gin to release mode' },
+  { id: 'rfx-go-034', match: /\.NoRoute\(\s*func/g, replace: '.NoRoute(func', lang: 'go', tier: 1, title: 'Confirm 404 handler exists' },
+  { id: 'rfx-go-035', match: /panic\(\s*err\)/g, replace: '/* avoid panic in production */ log.Fatal(err)', lang: 'go', tier: 1, title: 'Replace panic with log.Fatal' },
+
+  // --- Rust (36-70) ---
+  { id: 'rfx-rs-001', match: /format!\("SELECT\s+[^"]*\{/g, replace: (m) => `/* SECURITY: use parameterized query */ ${m}`, lang: 'rust', tier: 2, title: 'Flag Rust SQL format! injection' },
+  { id: 'rfx-rs-002', match: /format!\("INSERT\s+[^"]*\{/g, replace: (m) => `/* SECURITY: use parameterized query */ ${m}`, lang: 'rust', tier: 2, title: 'Flag Rust SQL INSERT format!' },
+  { id: 'rfx-rs-003', match: /format!\("UPDATE\s+[^"]*\{/g, replace: (m) => `/* SECURITY: use parameterized query */ ${m}`, lang: 'rust', tier: 2, title: 'Flag Rust SQL UPDATE format!' },
+  { id: 'rfx-rs-004', match: /format!\("DELETE\s+[^"]*\{/g, replace: (m) => `/* SECURITY: use parameterized query */ ${m}`, lang: 'rust', tier: 2, title: 'Flag Rust SQL DELETE format!' },
+  { id: 'rfx-rs-005', match: /\.unwrap\(\)/g, replace: '.expect("TODO: handle error")', lang: 'rust', tier: 1, title: 'Replace unwrap with expect' },
+  { id: 'rfx-rs-006', match: /\.unwrap_or\(\s*""\s*\)/g, replace: '.unwrap_or_default()', lang: 'rust', tier: 1, title: 'Use unwrap_or_default' },
+  { id: 'rfx-rs-007', match: /unsafe\s*\{/g, replace: '/* SAFETY: document why unsafe is needed */ unsafe {', lang: 'rust', tier: 2, title: 'Require safety comment for unsafe block' },
+  { id: 'rfx-rs-008', match: /std::process::Command::new\(\s*&?format!/g, replace: '/* SECURITY: command injection risk */ std::process::Command::new(&format!', lang: 'rust', tier: 2, title: 'Flag Rust command injection' },
+  { id: 'rfx-rs-009', match: /Md5::new\(\)/g, replace: 'Sha256::new()', lang: 'rust', tier: 1, title: 'Replace Rust MD5 with SHA-256' },
+  { id: 'rfx-rs-010', match: /Sha1::new\(\)/g, replace: 'Sha256::new()', lang: 'rust', tier: 1, title: 'Replace Rust SHA-1 with SHA-256' },
+  { id: 'rfx-rs-011', match: /use\s+md5/g, replace: 'use sha2', lang: 'rust', tier: 1, title: 'Replace md5 crate with sha2' },
+  { id: 'rfx-rs-012', match: /thread_rng\(\)/g, replace: 'OsRng', lang: 'rust', tier: 1, title: 'Replace thread_rng with OsRng for security' },
+  { id: 'rfx-rs-013', match: /rand::random/g, replace: '/* use rand::rngs::OsRng for security */ rand::random', lang: 'rust', tier: 2, title: 'Flag rand::random for security use' },
+  { id: 'rfx-rs-014', match: /\.danger_accept_invalid_certs\(\s*true\s*\)/g, replace: '.danger_accept_invalid_certs(false)', lang: 'rust', tier: 1, title: 'Enable Rust TLS cert verification' },
+  { id: 'rfx-rs-015', match: /\.danger_accept_invalid_hostnames\(\s*true\s*\)/g, replace: '.danger_accept_invalid_hostnames(false)', lang: 'rust', tier: 1, title: 'Enable Rust hostname verification' },
+  { id: 'rfx-rs-016', match: /std::fs::set_permissions.*Permissions::from_mode\(0o777\)/g, replace: (m) => m.replace('0o777', '0o755'), lang: 'rust', tier: 1, title: 'Reduce Rust file permissions' },
+  { id: 'rfx-rs-017', match: /panic!\(/g, replace: '/* avoid panic in production */ log::error!(', lang: 'rust', tier: 2, title: 'Replace panic! with log::error!' },
+  { id: 'rfx-rs-018', match: /todo!\(\)/g, replace: 'unimplemented!("TODO: implement this")', lang: 'rust', tier: 1, title: 'Replace todo! with explicit unimplemented' },
+  { id: 'rfx-rs-019', match: /println!\(".*password/gi, replace: '/* SECURITY: do not print passwords */', lang: 'rust', tier: 1, title: 'Remove password printing in Rust' },
+  { id: 'rfx-rs-020', match: /println!\(".*secret/gi, replace: '/* SECURITY: do not print secrets */', lang: 'rust', tier: 1, title: 'Remove secret printing in Rust' },
+  { id: 'rfx-rs-021', match: /println!\(".*token/gi, replace: '/* SECURITY: do not print tokens */', lang: 'rust', tier: 1, title: 'Remove token printing in Rust' },
+  { id: 'rfx-rs-022', match: /env!?\("(PASSWORD|SECRET|API_KEY|TOKEN)"\)/g, replace: (m) => `std::env::var("$1").expect("$1 must be set")`, lang: 'rust', tier: 1, title: 'Use runtime env var for secrets' },
+  { id: 'rfx-rs-023', match: /CorsLayer::permissive\(\)/g, replace: 'CorsLayer::new().allow_origin("http://localhost:3000".parse::<HeaderValue>().unwrap())', lang: 'rust', tier: 1, title: 'Restrict Rust CORS from permissive' },
+  { id: 'rfx-rs-024', match: /\.allow_origin\(\s*Any\s*\)/g, replace: '.allow_origin("http://localhost:3000".parse::<HeaderValue>().unwrap())', lang: 'rust', tier: 1, title: 'Replace CORS Any origin' },
+  { id: 'rfx-rs-025', match: /Duration::from_secs\(\s*0\s*\)/g, replace: 'Duration::from_secs(30)', lang: 'rust', tier: 1, title: 'Set non-zero timeout duration' },
+  { id: 'rfx-rs-026', match: /serde_json::from_str\(\s*&?body/g, replace: '/* validate input size before parsing */ serde_json::from_str(&body', lang: 'rust', tier: 2, title: 'Validate body size before JSON parsing' },
+  { id: 'rfx-rs-027', match: /Path::new\(\s*&?(?:query|param|input)/g, replace: '/* SECURITY: validate path component */ Path::new(&query', lang: 'rust', tier: 2, title: 'Flag path with user input' },
+  { id: 'rfx-rs-028', match: /std::fs::read_to_string\(\s*&?(?:query|param|input)/g, replace: '/* SECURITY: path traversal risk */ std::fs::read_to_string(&query', lang: 'rust', tier: 2, title: 'Flag file read with user input' },
+  { id: 'rfx-rs-029', match: /Regex::new\(\s*&?(?:query|param|input)/g, replace: '/* SECURITY: ReDoS risk */ Regex::new(&regex::escape(&query', lang: 'rust', tier: 2, title: 'Escape user input in Rust regex' },
+  { id: 'rfx-rs-030', match: /bincode::deserialize/g, replace: '/* SECURITY: validate input before deserializing */ bincode::deserialize', lang: 'rust', tier: 2, title: 'Flag bincode deserialization' },
+  { id: 'rfx-rs-031', match: /serde_yaml::from_str/g, replace: '/* validate YAML source is trusted */ serde_yaml::from_str', lang: 'rust', tier: 2, title: 'Flag YAML deserialization' },
+  { id: 'rfx-rs-032', match: /\.timeout\(\s*None\s*\)/g, replace: '.timeout(Some(Duration::from_secs(30)))', lang: 'rust', tier: 1, title: 'Set timeout instead of None' },
+  { id: 'rfx-rs-033', match: /actix_web::HttpServer::new.*\.workers\(\s*1\s*\)/g, replace: (m) => m.replace('.workers(1)', '.workers(num_cpus::get())'), lang: 'rust', tier: 1, title: 'Use CPU count for Actix workers' },
+  { id: 'rfx-rs-034', match: /\.cookie_secure\(\s*false\s*\)/g, replace: '.cookie_secure(true)', lang: 'rust', tier: 1, title: 'Enable secure cookies in Rust' },
+  { id: 'rfx-rs-035', match: /\.cookie_http_only\(\s*false\s*\)/g, replace: '.cookie_http_only(true)', lang: 'rust', tier: 1, title: 'Enable httpOnly cookies in Rust' },
+];
+export default fixes;

package/src/fix-registry-java-csharp.js

@@ -0,0 +1,77 @@
+// Data-driven Java + C# auto-fixes (70 entries: 35 Java + 35 C#)
+const fixes = [
+  // --- Java (1-35) ---
+  { id: 'rfx-java-001', match: /Statement\s+\w+\s*=.*createStatement/g, replace: (m) => `/* SECURITY: use PreparedStatement instead */ ${m}`, lang: 'java', tier: 2, title: 'Flag Java Statement (use PreparedStatement)' },
+  { id: 'rfx-java-002', match: /executeQuery\(\s*"SELECT\s+[^"]*"\s*\+/g, replace: (m) => `/* SECURITY: SQL injection — use parameterized query */ ${m}`, lang: 'java', tier: 2, title: 'Flag Java SQL concatenation' },
+  { id: 'rfx-java-003', match: /executeUpdate\(\s*"(?:INSERT|UPDATE|DELETE)\s+[^"]*"\s*\+/g, replace: (m) => `/* SECURITY: SQL injection — use parameterized query */ ${m}`, lang: 'java', tier: 2, title: 'Flag Java SQL mutation concatenation' },
+  { id: 'rfx-java-004', match: /Runtime\.getRuntime\(\)\.exec\(\s*"[^"]*"\s*\+/g, replace: (m) => `/* SECURITY: command injection */ ${m}`, lang: 'java', tier: 2, title: 'Flag Java command injection' },
+  { id: 'rfx-java-005', match: /new\s+ProcessBuilder\(\s*"sh"\s*,\s*"-c"/g, replace: '/* SECURITY: avoid shell execution */ new ProcessBuilder("sh", "-c"', lang: 'java', tier: 2, title: 'Flag Java shell execution' },
+  { id: 'rfx-java-006', match: /ObjectInputStream\(/g, replace: '/* SECURITY: deserialization risk — validate input */ ObjectInputStream(', lang: 'java', tier: 2, title: 'Flag Java ObjectInputStream' },
+  { id: 'rfx-java-007', match: /XMLInputFactory\.newInstance\(\)/g, replace: '/* disable XXE */ XMLInputFactory.newInstance() /* call setProperty(XMLInputFactory.SUPPORT_DTD, false) */', lang: 'java', tier: 2, title: 'Flag Java XXE risk' },
+  { id: 'rfx-java-008', match: /DocumentBuilderFactory\.newInstance\(\)/g, replace: '/* disable XXE: setFeature("http://apache.org/xml/features/disallow-doctype-decl", true) */ DocumentBuilderFactory.newInstance()', lang: 'java', tier: 2, title: 'Flag Java XXE in DocumentBuilder' },
+  { id: 'rfx-java-009', match: /SAXParserFactory\.newInstance\(\)/g, replace: '/* disable XXE */ SAXParserFactory.newInstance()', lang: 'java', tier: 2, title: 'Flag Java XXE in SAXParser' },
+  { id: 'rfx-java-010', match: /MessageDigest\.getInstance\("MD5"\)/g, replace: 'MessageDigest.getInstance("SHA-256")', lang: 'java', tier: 1, title: 'Replace Java MD5 with SHA-256' },
+  { id: 'rfx-java-011', match: /MessageDigest\.getInstance\("SHA-1"\)/g, replace: 'MessageDigest.getInstance("SHA-256")', lang: 'java', tier: 1, title: 'Replace Java SHA-1 with SHA-256' },
+  { id: 'rfx-java-012', match: /Cipher\.getInstance\("DES/g, replace: 'Cipher.getInstance("AES/GCM/NoPadding', lang: 'java', tier: 1, title: 'Replace Java DES with AES-GCM' },
+  { id: 'rfx-java-013', match: /Cipher\.getInstance\("AES\/ECB/g, replace: 'Cipher.getInstance("AES/GCM/NoPadding', lang: 'java', tier: 1, title: 'Replace Java AES-ECB with AES-GCM' },
+  { id: 'rfx-java-014', match: /new\s+Random\(\)/g, replace: 'new SecureRandom()', lang: 'java', tier: 1, title: 'Replace Java Random with SecureRandom' },
+  { id: 'rfx-java-015', match: /java\.util\.Random/g, replace: 'java.security.SecureRandom', lang: 'java', tier: 1, title: 'Import SecureRandom instead of Random' },
+  { id: 'rfx-java-016', match: /cookie\.setSecure\(\s*false\s*\)/g, replace: 'cookie.setSecure(true)', lang: 'java', tier: 1, title: 'Enable Java secure cookies' },
+  { id: 'rfx-java-017', match: /cookie\.setHttpOnly\(\s*false\s*\)/g, replace: 'cookie.setHttpOnly(true)', lang: 'java', tier: 1, title: 'Enable Java httpOnly cookies' },
+  { id: 'rfx-java-018', match: /\.setAllowedOrigins\(\s*Arrays\.asList\(\s*"\*"\s*\)\s*\)/g, replace: '.setAllowedOrigins(Arrays.asList("http://localhost:3000"))', lang: 'java', tier: 1, title: 'Restrict Java CORS origins' },
+  { id: 'rfx-java-019', match: /new\s+File\(\s*request\.getParameter/g, replace: '/* SECURITY: path traversal risk */ new File(request.getParameter', lang: 'java', tier: 2, title: 'Flag Java path traversal' },
+  { id: 'rfx-java-020', match: /response\.sendRedirect\(\s*request\.getParameter/g, replace: '/* SECURITY: open redirect */ response.sendRedirect(request.getParameter', lang: 'java', tier: 2, title: 'Flag Java open redirect' },
+  { id: 'rfx-java-021', match: /InitialDirContext\(\s*[^)]*request\.getParameter/g, replace: (m) => `/* SECURITY: LDAP injection */ ${m}`, lang: 'java', tier: 2, title: 'Flag Java LDAP injection' },
+  { id: 'rfx-java-022', match: /System\.out\.println\(.*password/gi, replace: '/* SECURITY: do not print passwords */', lang: 'java', tier: 1, title: 'Remove Java password printing' },
+  { id: 'rfx-java-023', match: /System\.out\.println\(.*secret/gi, replace: '/* SECURITY: do not print secrets */', lang: 'java', tier: 1, title: 'Remove Java secret printing' },
+  { id: 'rfx-java-024', match: /logger\.\w+\(.*password/gi, replace: (m) => m.replace(/password\w*/gi, '"[REDACTED]"'), lang: 'java', tier: 1, title: 'Redact passwords in Java logs' },
+  { id: 'rfx-java-025', match: /password\.equals\(\s*"[^"]+"\s*\)/g, replace: '/* SECURITY: use BCrypt.checkpw() instead of plaintext comparison */', lang: 'java', tier: 2, title: 'Flag Java plaintext password comparison' },
+  { id: 'rfx-java-026', match: /e\.printStackTrace\(\)/g, replace: 'logger.error("Error occurred", e)', lang: 'java', tier: 1, title: 'Replace printStackTrace with logger' },
+  { id: 'rfx-java-027', match: /catch\s*\(\s*Exception\s+\w+\s*\)\s*\{\s*\}/g, replace: (m) => m.replace('{}', '{ logger.error("Unhandled exception", e); }'), lang: 'java', tier: 1, title: 'Handle empty Java catch block' },
+  { id: 'rfx-java-028', match: /response\.getWriter\(\)\.write\(\s*exception\.getMessage\(\)/g, replace: 'response.getWriter().write("Internal server error"', lang: 'java', tier: 1, title: 'Hide Java exception message from response' },
+  { id: 'rfx-java-029', match: /SSLContext\.getInstance\("SSL"\)/g, replace: 'SSLContext.getInstance("TLSv1.3")', lang: 'java', tier: 1, title: 'Upgrade Java SSL to TLSv1.3' },
+  { id: 'rfx-java-030', match: /SSLContext\.getInstance\("TLSv1"\)/g, replace: 'SSLContext.getInstance("TLSv1.3")', lang: 'java', tier: 1, title: 'Upgrade Java TLSv1 to TLSv1.3' },
+  { id: 'rfx-java-031', match: /\.setHostnameVerifier\(\s*SSLSocketFactory\.ALLOW_ALL_HOSTNAME_VERIFIER/g, replace: '.setHostnameVerifier(SSLSocketFactory.STRICT_HOSTNAME_VERIFIER', lang: 'java', tier: 1, title: 'Enable strict hostname verification' },
+  { id: 'rfx-java-032', match: /Pattern\.compile\(\s*request\.getParameter/g, replace: '/* SECURITY: ReDoS risk */ Pattern.compile(Pattern.quote(request.getParameter', lang: 'java', tier: 2, title: 'Escape Java regex user input' },
+  { id: 'rfx-java-033', match: /getClass\(\)\.getClassLoader\(\)\.loadClass\(\s*request/g, replace: '/* SECURITY: class loading injection */ getClass().getClassLoader().loadClass(request', lang: 'java', tier: 2, title: 'Flag Java class loading injection' },
+  { id: 'rfx-java-034', match: /ScriptEngine.*eval\(\s*request/g, replace: '/* SECURITY: script injection */ ScriptEngine eval(request', lang: 'java', tier: 2, title: 'Flag Java ScriptEngine eval injection' },
+  { id: 'rfx-java-035', match: /new\s+FileOutputStream\([^,)]+,\s*false\)/g, replace: (m) => m, lang: 'java', tier: 1, title: 'Confirm FileOutputStream overwrite mode' },
+
+  // --- C# (36-70) ---
+  { id: 'rfx-cs-001', match: /SqlCommand\(\s*"SELECT\s+[^"]*"\s*\+/g, replace: (m) => `/* SECURITY: use SqlParameter */ ${m}`, lang: 'csharp', tier: 2, title: 'Flag C# SQL concatenation' },
+  { id: 'rfx-cs-002', match: /SqlCommand\(\s*\$"SELECT/g, replace: (m) => `/* SECURITY: use SqlParameter, not interpolation */ ${m}`, lang: 'csharp', tier: 2, title: 'Flag C# SQL interpolation' },
+  { id: 'rfx-cs-003', match: /SqlCommand\(\s*"(?:INSERT|UPDATE|DELETE)\s+[^"]*"\s*\+/g, replace: (m) => `/* SECURITY: use SqlParameter */ ${m}`, lang: 'csharp', tier: 2, title: 'Flag C# SQL mutation concatenation' },
+  { id: 'rfx-cs-004', match: /Process\.Start\(\s*"cmd"\s*,\s*"\/c\s*"\s*\+/g, replace: '/* SECURITY: command injection */ Process.Start("cmd", "/c " +', lang: 'csharp', tier: 2, title: 'Flag C# command injection' },
+  { id: 'rfx-cs-005', match: /BinaryFormatter\(\)/g, replace: '/* SECURITY: BinaryFormatter is insecure — use JsonSerializer */ new JsonSerializer()', lang: 'csharp', tier: 2, title: 'Replace C# BinaryFormatter' },
+  { id: 'rfx-cs-006', match: /SoapFormatter\(\)/g, replace: '/* SECURITY: SoapFormatter is insecure */ new JsonSerializer()', lang: 'csharp', tier: 2, title: 'Replace C# SoapFormatter' },
+  { id: 'rfx-cs-007', match: /MD5\.Create\(\)/g, replace: 'SHA256.Create()', lang: 'csharp', tier: 1, title: 'Replace C# MD5 with SHA-256' },
+  { id: 'rfx-cs-008', match: /SHA1\.Create\(\)/g, replace: 'SHA256.Create()', lang: 'csharp', tier: 1, title: 'Replace C# SHA-1 with SHA-256' },
+  { id: 'rfx-cs-009', match: /new\s+DESCryptoServiceProvider/g, replace: 'Aes.Create()', lang: 'csharp', tier: 1, title: 'Replace C# DES with AES' },
+  { id: 'rfx-cs-010', match: /new\s+TripleDESCryptoServiceProvider/g, replace: 'Aes.Create()', lang: 'csharp', tier: 1, title: 'Replace C# 3DES with AES' },
+  { id: 'rfx-cs-011', match: /new\s+Random\(\)/g, replace: 'RandomNumberGenerator.Create()', lang: 'csharp', tier: 1, title: 'Replace C# Random with RNG' },
+  { id: 'rfx-cs-012', match: /System\.Random/g, replace: 'System.Security.Cryptography.RandomNumberGenerator', lang: 'csharp', tier: 1, title: 'Import RNG instead of Random' },
+  { id: 'rfx-cs-013', match: /cookie\.Secure\s*=\s*false/g, replace: 'cookie.Secure = true', lang: 'csharp', tier: 1, title: 'Enable C# secure cookies' },
+  { id: 'rfx-cs-014', match: /cookie\.HttpOnly\s*=\s*false/g, replace: 'cookie.HttpOnly = true', lang: 'csharp', tier: 1, title: 'Enable C# httpOnly cookies' },
+  { id: 'rfx-cs-015', match: /SameSiteMode\.None/g, replace: 'SameSiteMode.Strict', lang: 'csharp', tier: 1, title: 'Set C# SameSite to Strict' },
+  { id: 'rfx-cs-016', match: /HtmlEncode/g, replace: 'HtmlEncode', lang: 'csharp', tier: 1, title: 'Confirm HtmlEncode usage' },
+  { id: 'rfx-cs-017', match: /Response\.Write\(\s*Request/g, replace: '/* SECURITY: XSS risk */ Response.Write(HttpUtility.HtmlEncode(Request', lang: 'csharp', tier: 2, title: 'Add HtmlEncode to Response.Write' },
+  { id: 'rfx-cs-018', match: /\.AllowAnyOrigin\(\)/g, replace: '.WithOrigins("http://localhost:3000")', lang: 'csharp', tier: 1, title: 'Restrict C# CORS origins' },
+  { id: 'rfx-cs-019', match: /Redirect\(\s*Request\[/g, replace: '/* SECURITY: open redirect */ Redirect(Request[', lang: 'csharp', tier: 2, title: 'Flag C# open redirect' },
+  { id: 'rfx-cs-020', match: /Path\.Combine\(\s*\w+\s*,\s*Request/g, replace: '/* SECURITY: path traversal */ Path.Combine(basePath, Path.GetFileName(Request', lang: 'csharp', tier: 2, title: 'Fix C# path traversal' },
+  { id: 'rfx-cs-021', match: /DirectorySearcher\(\s*".*"\s*\+\s*Request/g, replace: (m) => `/* SECURITY: LDAP injection */ ${m}`, lang: 'csharp', tier: 2, title: 'Flag C# LDAP injection' },
+  { id: 'rfx-cs-022', match: /Console\.WriteLine\(.*password/gi, replace: '/* SECURITY: do not print passwords */', lang: 'csharp', tier: 1, title: 'Remove C# password printing' },
+  { id: 'rfx-cs-023', match: /Console\.WriteLine\(.*secret/gi, replace: '/* SECURITY: do not print secrets */', lang: 'csharp', tier: 1, title: 'Remove C# secret printing' },
+  { id: 'rfx-cs-024', match: /catch\s*\(\s*Exception\s+\w+\s*\)\s*\{\s*\}/g, replace: (m) => m.replace('{}', '{ _logger.LogError(ex, "Error"); }'), lang: 'csharp', tier: 1, title: 'Handle empty C# catch block' },
+  { id: 'rfx-cs-025', match: /return\s+Content\(\s*ex\.(?:Message|StackTrace)/g, replace: 'return Content("Internal server error"', lang: 'csharp', tier: 1, title: 'Hide C# exception from response' },
+  { id: 'rfx-cs-026', match: /SslProtocols\.Ssl3/g, replace: 'SslProtocols.Tls13', lang: 'csharp', tier: 1, title: 'Upgrade C# SSL3 to TLS1.3' },
+  { id: 'rfx-cs-027', match: /SslProtocols\.Tls\b/g, replace: 'SslProtocols.Tls13', lang: 'csharp', tier: 1, title: 'Upgrade C# TLS to TLS1.3' },
+  { id: 'rfx-cs-028', match: /ServicePointManager\.ServerCertificateValidationCallback\s*=.*true/g, replace: '/* SECURITY: do not bypass cert validation */ ServicePointManager.ServerCertificateValidationCallback = null', lang: 'csharp', tier: 1, title: 'Remove C# cert validation bypass' },
+  { id: 'rfx-cs-029', match: /XmlDocument\(\)/g, replace: 'XmlDocument() { XmlResolver = null }', lang: 'csharp', tier: 1, title: 'Disable C# XXE in XmlDocument' },
+  { id: 'rfx-cs-030', match: /XmlTextReader\(/g, replace: '/* set DtdProcessing = DtdProcessing.Prohibit */ XmlTextReader(', lang: 'csharp', tier: 2, title: 'Disable C# XXE in XmlTextReader' },
+  { id: 'rfx-cs-031', match: /new\s+Regex\(\s*Request/g, replace: '/* SECURITY: ReDoS risk */ new Regex(Regex.Escape(Request', lang: 'csharp', tier: 2, title: 'Escape C# regex user input' },
+  { id: 'rfx-cs-032', match: /File\.ReadAllText\(\s*Request/g, replace: '/* SECURITY: path traversal */ File.ReadAllText(Path.GetFullPath(Request', lang: 'csharp', tier: 2, title: 'Flag C# file read with user input' },
+  { id: 'rfx-cs-033', match: /password\s*==\s*"[^"]+"/g, replace: '/* SECURITY: use BCrypt.Verify instead of plaintext comparison */', lang: 'csharp', tier: 2, title: 'Flag C# plaintext password comparison' },
+  { id: 'rfx-cs-034', match: /\.RequireHttpsMetadata\s*=\s*false/g, replace: '.RequireHttpsMetadata = true', lang: 'csharp', tier: 1, title: 'Enable C# HTTPS metadata requirement' },
+  { id: 'rfx-cs-035', match: /ValidateIssuer\s*=\s*false/g, replace: 'ValidateIssuer = true', lang: 'csharp', tier: 1, title: 'Enable C# JWT issuer validation' },
+];
+export default fixes;