getdoorman 1.0.0

package/src/fixer.js

@@ -0,0 +1,2113 @@
+import chalk from 'chalk';
+import { readFileSync, writeFileSync, statSync, existsSync } from 'fs';
+import { join } from 'path';
+import { execSync } from 'child_process';
+import { check } from './index.js';
+import { recordFix } from './metrics.js';
+import { applyRegistryFix, applyAllRegistryFixes } from './fix-engine.js';
+import jsFixEntries from './fix-registry-js.js';
+import pyFixEntries from './fix-registry-python.js';
+import goRustFixEntries from './fix-registry-go-rust.js';
+import javaCsharpFixEntries from './fix-registry-java-csharp.js';
+import mcpAiFixEntries from './fix-registry-mcp-ai.js';
+import extraFixEntries from './fix-registry-extra.js';
+
+// Merge all registry-based fix entries
+const registryEntries = [
+  ...jsFixEntries, ...pyFixEntries, ...goRustFixEntries,
+  ...javaCsharpFixEntries, ...mcpAiFixEntries, ...extraFixEntries,
+];
+
+// Build patternFixes entries from registry
+const registryPatternFixes = {};
+for (const entry of registryEntries) {
+  registryPatternFixes[entry.id] = {
+    fn: (content) => applyRegistryFix(content, entry),
+    tier: entry.tier,
+    title: entry.title,
+  };
+}
+
+const MAX_FILE_SIZE = 500 * 1024; // 500KB
+const MAX_FILES_PER_RUN = 50;
+const FREE_FIX_LIMIT = 3;
+
+/**
+ * Check if the modified content still has valid syntax.
+ * Catches broken JS/TS/JSON before writing to disk.
+ */
+function isSyntaxValid(filePath, content) {
+  try {
+    if (filePath.endsWith('.json')) {
+      JSON.parse(content);
+      return true;
+    }
+    if (/\.(js|jsx|mjs|cjs)$/.test(filePath)) {
+      // Use Node's built-in parser via new Function (catches syntax errors)
+      new Function(content);
+      return true;
+    }
+    // For other file types (TS, Python, etc.) — assume valid
+    // Full parsing would require language-specific parsers
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Check if the user has a Pro license key.
+ * Accepts DOORMAN_KEY env var or --license-key CLI option.
+ */
+export function isProUser(options = {}) {
+  const key = options.licenseKey || process.env.DOORMAN_KEY || '';
+  return key.length > 0;
+}
+
+// ---------------------------------------------------------------------------
+// Pattern-based auto-fix functions (no AI required)
+// ---------------------------------------------------------------------------
+
+/**
+ * Each fix function takes (content, finding) and returns the modified content
+ * string, or null if the fix could not be applied safely.
+ *
+ * The `finding` object may include: { file, line, ruleId, title, match, ... }
+ */
+
+// 1. Replace eval(x) with safer alternatives
+export function fixEval(content) {
+  let modified = content;
+  // Replace eval(JSON.parse(...)) or eval on JSON-like strings with JSON.parse
+  modified = modified.replace(
+    /\beval\(\s*(['"`])\s*\{[\s\S]*?\}\s*\1\s*\)/g,
+    (match) => {
+      const inner = match.slice(match.indexOf('(') + 1, -1).trim();
+      return `JSON.parse(${inner})`;
+    },
+  );
+  // Replace eval(variable) with Function constructor + warning comment
+  modified = modified.replace(
+    /\beval\(([^)]+)\)/g,
+    (match, inner) => {
+      const trimmed = inner.trim();
+      // Don't double-fix if already replaced
+      if (match.startsWith('JSON.parse') || match.startsWith('new Function')) return match;
+      // If it looks like JSON parsing, use JSON.parse
+      if (/json/i.test(trimmed)) {
+        return `JSON.parse(${trimmed})`;
+      }
+      return `/* SECURITY: replaced unsafe eval — review this usage */ new Function(${trimmed})()`;
+    },
+  );
+  return modified === content ? null : modified;
+}
+
+// 2. Replace Math.random() in security context with crypto.randomUUID()
+export function fixMathRandom(content) {
+  // Only replace Math.random() that appears near security-related tokens
+  const lines = content.split('\n');
+  let changed = false;
+  const securityKeywords = /token|secret|key|password|auth|session|csrf|nonce|salt|random.*id|id.*random/i;
+
+  const result = lines.map((line) => {
+    if (/Math\.random\(\)/.test(line) && securityKeywords.test(line)) {
+      changed = true;
+      return line.replace(/Math\.random\(\)/g, 'crypto.randomUUID()');
+    }
+    return line;
+  }).join('\n');
+
+  if (!changed) {
+    // Fallback: replace any Math.random() usage
+    const fallback = content.replace(/Math\.random\(\)/g, 'crypto.randomUUID()');
+    return fallback === content ? null : fallback;
+  }
+  return result;
+}
+
+// 3. Add httpOnly, secure, sameSite to cookie options
+export function fixCookieFlags(content) {
+  let modified = content;
+  // Match res.cookie(..., { ... }) and add missing flags
+  modified = modified.replace(
+    /(res\.cookie\([^,]+,\s*[^,]+,\s*\{)([^}]*)\}/g,
+    (match, prefix, options) => {
+      const hasHttpOnly = /httpOnly\s*:/.test(options);
+      const hasSecure = /\bsecure\s*:/.test(options);
+      const hasSameSite = /sameSite\s*:/.test(options);
+      // If all flags present, skip
+      if (hasHttpOnly && hasSecure && hasSameSite) return match;
+      let opts = options;
+      if (!hasHttpOnly) {
+        opts = opts.trimEnd();
+        if (opts.length > 0 && !opts.endsWith(',')) opts += ',';
+        opts += ' httpOnly: true,';
+      }
+      if (!hasSecure) {
+        opts = opts.trimEnd();
+        if (!opts.endsWith(',')) opts += ',';
+        opts += ' secure: true,';
+      }
+      if (!hasSameSite) {
+        opts = opts.trimEnd();
+        if (!opts.endsWith(',')) opts += ',';
+        opts += " sameSite: 'strict'";
+      }
+      return `${prefix}${opts} }`;
+    },
+  );
+  // Handle res.cookie with only 2 args (no options) — add options object
+  modified = modified.replace(
+    /(res\.cookie\(\s*[^,]+,\s*[^,)]+)\s*\)/g,
+    (match, prefix) => {
+      // Avoid matching if already has 3+ args
+      if (prefix.split(',').length > 2) return match;
+      return `${prefix}, { httpOnly: true, secure: true, sameSite: 'strict' })`;
+    },
+  );
+  return modified === content ? null : modified;
+}
+
+// 4. Replace http:// URLs with https:// in config files
+export function fixHttpUrls(content) {
+  const modified = content.replace(
+    /(['"`])http:\/\/((?!localhost|127\.0\.0\.1|0\.0\.0\.0|::1)[^'"`\s]+)(['"`])/g,
+    (match, q1, url, q2) => `${q1}https://${url}${q2}`,
+  );
+  return modified === content ? null : modified;
+}
+
+// 5. Add helmet() import and middleware to Express apps
+export function fixHelmetMissing(content) {
+  // Only apply if this looks like an Express app without helmet
+  if (!/express\(\)/.test(content)) return null;
+  if (/helmet/.test(content)) return null;
+
+  let modified = content;
+  // Add import after the express import
+  modified = modified.replace(
+    /((?:const|let|var)\s+\w+\s*=\s*require\s*\(\s*['"]express['"]\s*\).*?;?\n)/,
+    `$1const helmet = require('helmet');\n`,
+  );
+  // If using ES module imports
+  modified = modified.replace(
+    /(import\s+\w+\s+from\s+['"]express['"].*?\n)/,
+    `$1import helmet from 'helmet';\n`,
+  );
+  // Add app.use(helmet()) after app creation
+  modified = modified.replace(
+    /((?:const|let|var)\s+(\w+)\s*=\s*express\(\).*?;?\n)/,
+    `$1$2.use(helmet());\n`,
+  );
+  return modified === content ? null : modified;
+}
+
+// 6. Replace == with === in auth comparisons
+export function fixLooseEquality(content) {
+  const authKeywords = /password|token|secret|auth|session|user|role|admin|login|credential|apiKey|api_key/i;
+  const lines = content.split('\n');
+  let changed = false;
+
+  const result = lines.map((line) => {
+    // Skip comments
+    if (/^\s*\/\//.test(line) || /^\s*\*/.test(line)) return line;
+    if (authKeywords.test(line) && /[^!=]==[^=]/.test(line)) {
+      changed = true;
+      return line.replace(/([^!=])={2}([^=])/g, '$1===$2');
+    }
+    if (authKeywords.test(line) && /[^!]=![^=]/.test(line)) {
+      // skip — != to !== is rarer, handle == only
+    }
+    return line;
+  }).join('\n');
+
+  return changed ? result : null;
+}
+
+// 7. Add algorithms option to jwt.verify calls
+export function fixJwtVerifyAlgorithm(content) {
+  const modified = content.replace(
+    /jwt\.verify\(\s*([^,]+),\s*([^,)]+)\s*\)/g,
+    (match, token, secret) => {
+      return `jwt.verify(${token}, ${secret}, { algorithms: ['HS256'] })`;
+    },
+  );
+  return modified === content ? null : modified;
+}
+
+// 8. Replace MD5/SHA1 with SHA256 in crypto.createHash
+export function fixWeakHash(content) {
+  const modified = content.replace(
+    /crypto\.createHash\(\s*['"](?:md5|sha1|MD5|SHA1)['"]\s*\)/g,
+    "crypto.createHash('sha256')",
+  );
+  return modified === content ? null : modified;
+}
+
+// 9. Add -- comment terminator to SQL queries with string interpolation
+export function fixSqlTerminator(content) {
+  // Match template literals and string concat that look like SQL with interpolation
+  const modified = content.replace(
+    /(`\s*(?:SELECT|INSERT|UPDATE|DELETE|DROP|ALTER)\b[^`]*\$\{[^}]+\}[^`]*?)(`)/gi,
+    (match, query, close) => {
+      if (/--\s*$/.test(query.trim())) return match; // already has terminator
+      return `${query} --${close}`;
+    },
+  );
+  return modified === content ? null : modified;
+}
+
+// 10. Replace child_process.exec with execFile
+export function fixExecToExecFile(content) {
+  let modified = content;
+  // Replace require destructuring
+  modified = modified.replace(
+    /\b(require\(\s*['"]child_process['"]\s*\))\.exec\b/g,
+    '$1.execFile',
+  );
+  // Replace destructured import: { exec } -> { execFile }
+  modified = modified.replace(
+    /\{\s*exec\s*\}(\s*=\s*require\(\s*['"]child_process['"]\s*\))/g,
+    '{ execFile }$1',
+  );
+  // Replace ES module import
+  modified = modified.replace(
+    /import\s*\{\s*exec\s*\}\s*from\s*['"]child_process['"]/g,
+    "import { execFile } from 'child_process'",
+  );
+  // Replace direct exec( calls with execFile( — only when clearly from child_process
+  modified = modified.replace(
+    /\bexec\(\s*(['"`])/g,
+    (match, quote) => `execFile(${quote}`,
+  );
+  return modified === content ? null : modified;
+}
+
+// 11. Add expiresIn to jwt.sign calls missing expiration
+export function fixJwtSignExpiry(content) {
+  // Match jwt.sign(payload, secret) without options or with options missing expiresIn
+  let modified = content;
+
+  // Case 1: jwt.sign(payload, secret) — no options at all
+  modified = modified.replace(
+    /jwt\.sign\(\s*([^,]+),\s*([^,)]+)\s*\)(?!\s*;?\s*\/\*.*expiresIn)/g,
+    (match, payload, secret) => {
+      // Make sure this isn't already a 3-arg call
+      if (secret.includes('{')) return match;
+      return `jwt.sign(${payload}, ${secret}, { expiresIn: '1h' })`;
+    },
+  );
+
+  // Case 2: jwt.sign(payload, secret, { ... }) where options exist but no expiresIn
+  modified = modified.replace(
+    /jwt\.sign\(\s*([^,]+),\s*([^,]+),\s*\{([^}]*)\}\s*\)/g,
+    (match, payload, secret, options) => {
+      if (/expiresIn/.test(options)) return match;
+      let opts = options.trimEnd();
+      if (opts.length > 0 && !opts.endsWith(',')) opts += ',';
+      return `jwt.sign(${payload}, ${secret}, {${opts} expiresIn: '1h' })`;
+    },
+  );
+
+  return modified === content ? null : modified;
+}
+
+// 12. Add rate-limit middleware to Express apps
+export function fixRateLimitMissing(content) {
+  if (!/express\(\)/.test(content)) return null;
+  if (/rate.?limit/i.test(content)) return null;
+
+  let modified = content;
+  // Add require after express require
+  modified = modified.replace(
+    /((?:const|let|var)\s+\w+\s*=\s*require\s*\(\s*['"]express['"]\s*\).*?;?\n)/,
+    `$1const rateLimit = require('express-rate-limit');\n`,
+  );
+  // ES module import
+  modified = modified.replace(
+    /(import\s+\w+\s+from\s+['"]express['"].*?\n)/,
+    `$1import rateLimit from 'express-rate-limit';\n`,
+  );
+  // Add middleware after app creation
+  modified = modified.replace(
+    /((?:const|let|var)\s+(\w+)\s*=\s*express\(\).*?;?\n)/,
+    `$1$2.use(rateLimit({ windowMs: 15 * 60 * 1000, max: 100 }));\n`,
+  );
+  return modified === content ? null : modified;
+}
+
+// 13. Replace JSON.parse(req.body) with body-parser middleware
+export function fixJsonParseReqBody(content) {
+  let modified = content;
+  // Replace JSON.parse(req.body) with just req.body (assumes body-parser)
+  modified = modified.replace(
+    /JSON\.parse\(\s*req\.body\s*\)/g,
+    'req.body /* use express.json() middleware instead of manual JSON.parse */',
+  );
+  // If this is an Express app, add express.json() middleware
+  if (/express\(\)/.test(modified) && !/\.use\(\s*express\.json\(\)\s*\)/.test(modified) && !/bodyParser/.test(modified)) {
+    modified = modified.replace(
+      /((?:const|let|var)\s+(\w+)\s*=\s*express\(\).*?;?\n)/,
+      `$1$2.use(express.json());\n`,
+    );
+  }
+  return modified === content ? null : modified;
+}
+
+// 14. Add .escape() to user input before SQL (stopgap)
+export function fixSqlEscape(content) {
+  // Look for direct string interpolation in SQL-like queries
+  const modified = content.replace(
+    /(`\s*(?:SELECT|INSERT|UPDATE|DELETE)\b[^`]*)\$\{(\s*(?:req\.(?:body|query|params)\.\w+|userInput|input)\s*)\}([^`]*`)/gi,
+    (match, before, variable, after) => {
+      const trimmedVar = variable.trim();
+      // Don't double-wrap
+      if (trimmedVar.includes('escape(') || trimmedVar.includes('sanitize(')) return match;
+      return `${before}\${escape(${trimmedVar})}${after}`;
+    },
+  );
+  return modified === content ? null : modified;
+}
+
+// 15. Add Content-Security-Policy header via helmet
+export function fixContentSecurityPolicy(content) {
+  // If helmet is already used with contentSecurityPolicy, skip
+  if (/contentSecurityPolicy/.test(content)) return null;
+  if (!/express\(\)/.test(content)) return null;
+
+  let modified = content;
+  // If helmet() is already used, upgrade to include CSP directives
+  if (/helmet\(\)/.test(modified)) {
+    modified = modified.replace(
+      /helmet\(\)/,
+      `helmet({ contentSecurityPolicy: { directives: { defaultSrc: ["'self'"], scriptSrc: ["'self'"], styleSrc: ["'self'", "'unsafe-inline'"] } } })`,
+    );
+  } else {
+    // Add helmet with CSP
+    modified = modified.replace(
+      /((?:const|let|var)\s+(\w+)\s*=\s*express\(\).*?;?\n)/,
+      `$1$2.use(require('helmet')({ contentSecurityPolicy: { directives: { defaultSrc: ["'self'"], scriptSrc: ["'self'"], styleSrc: ["'self'", "'unsafe-inline'"] } } }));\n`,
+    );
+  }
+  return modified === content ? null : modified;
+}
+
+// 16. Remove console.log statements (replace with logger)
+export function fixConsoleLog(content) {
+  const lines = content.split('\n');
+  let changed = false;
+
+  const result = lines.map((line) => {
+    // Skip comments
+    if (/^\s*\/\//.test(line)) return line;
+    // Replace console.log/debug/info/warn/error with logger equivalents
+    if (/\bconsole\.(log|debug|info)\s*\(/.test(line)) {
+      changed = true;
+      return line
+        .replace(/\bconsole\.log\s*\(/, 'logger.info(')
+        .replace(/\bconsole\.debug\s*\(/, 'logger.debug(')
+        .replace(/\bconsole\.info\s*\(/, 'logger.info(');
+    }
+    return line;
+  }).join('\n');
+
+  return changed ? result : null;
+}
+
+// 17. Add return type to exported TypeScript functions
+export function fixTsReturnType(content) {
+  const modified = content.replace(
+    /^(export\s+(?:async\s+)?function\s+\w+\s*\([^)]*\))\s*\{/gm,
+    (match, sig) => {
+      // Skip if already has return type annotation
+      if (/\)\s*:\s*\S/.test(sig)) return match;
+      return `${sig}: void {`;
+    },
+  );
+  return modified === content ? null : modified;
+}
+
+// 18. Convert var to const/let
+export function fixVarToConstLet(content) {
+  const lines = content.split('\n');
+  let changed = false;
+
+  const result = lines.map((line) => {
+    // Skip comments
+    if (/^\s*\/\//.test(line) || /^\s*\*/.test(line)) return line;
+    // Replace var with const for assignments that look like constants
+    const varMatch = line.match(/^(\s*)var\s+(\w+)\s*=/);
+    if (varMatch) {
+      changed = true;
+      // Use const by default (safer); let if reassigned later is a manual step
+      return line.replace(/\bvar\s+/, 'const ');
+    }
+    // var without assignment (declaration only) => let
+    const varDeclMatch = line.match(/^(\s*)var\s+(\w+)\s*;/);
+    if (varDeclMatch) {
+      changed = true;
+      return line.replace(/\bvar\s+/, 'let ');
+    }
+    return line;
+  }).join('\n');
+
+  return changed ? result : null;
+}
+
+// 19. Add error parameter to empty catch blocks
+export function fixEmptyCatch(content) {
+  const modified = content.replace(
+    /catch\s*\(\s*\)\s*\{/g,
+    'catch (error) {',
+  );
+  return modified === content ? null : modified;
+}
+
+// 20. Convert callback-style to async/await (fs.readFile as common case)
+export function fixCallbackToAsync(content) {
+  // Convert fs.readFile(path, encoding, (err, data) => { ... }) to await
+  const modified = content.replace(
+    /fs\.readFile\(\s*([^,]+),\s*(['"][^'"]+['"])\s*,\s*(?:function\s*\(\s*(\w+)\s*,\s*(\w+)\s*\)|(?:\(\s*(\w+)\s*,\s*(\w+)\s*\)|\(\s*(\w+)\s*,\s*(\w+)\s*\))\s*=>)\s*\{/g,
+    (match, path, encoding, err1, data1, err2, data2, err3, data3) => {
+      const dataVar = data1 || data2 || data3 || 'data';
+      return `const ${dataVar} = await fs.promises.readFile(${path}, ${encoding});\n{`;
+    },
+  );
+  return modified === content ? null : modified;
+}
+
+// ---------------------------------------------------------------------------
+// Advanced JS/TS auto-fix functions (21-40)
+// ---------------------------------------------------------------------------
+
+// 21. Replace dangerouslySetInnerHTML={{__html: var}} with DOMPurify.sanitize wrapper
+export function fixDangerouslySetInnerHTML(content) {
+  const modified = content.replace(
+    /dangerouslySetInnerHTML\s*=\s*\{\s*\{\s*__html\s*:\s*([^}]+)\}\s*\}/g,
+    (match, variable) => {
+      const trimmed = variable.trim();
+      if (/DOMPurify\.sanitize/.test(trimmed)) return match;
+      return `dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(${trimmed}) }}`;
+    },
+  );
+  return modified === content ? null : modified;
+}
+
+// 22. Replace document.write(var) with textContent assignment
+export function fixDocumentWrite(content) {
+  const modified = content.replace(
+    /document\.write\(([^)]+)\)/g,
+    (match, arg) => {
+      const trimmed = arg.trim();
+      return `document.body.textContent = ${trimmed} /* SECURITY: replaced unsafe document.write */`;
+    },
+  );
+  return modified === content ? null : modified;
+}
+
+// 23. Replace el.innerHTML = var with el.textContent = var
+export function fixInnerHTML(content) {
+  const modified = content.replace(
+    /(\w+(?:\.\w+)*)\.innerHTML\s*=\s*([^;]+);/g,
+    (match, el, value) => {
+      const trimmed = value.trim();
+      if (/DOMPurify|sanitize|escapeHtml/.test(trimmed)) return match;
+      return `${el}.textContent = ${trimmed};`;
+    },
+  );
+  return modified === content ? null : modified;
+}
+
+// 24. Replace {$where: userInput} with safe MongoDB query
+export function fixNoSqlInjection(content) {
+  const modified = content.replace(
+    /\{\s*\$where\s*:\s*([^}]+)\}/g,
+    (match, expr) => {
+      const trimmed = expr.trim();
+      return `{ /* SECURITY: replaced unsafe $where */ $expr: { $eq: [${trimmed}, true] } }`;
+    },
+  );
+  return modified === content ? null : modified;
+}
+
+// 25. Add null prototype to object merge to prevent prototype pollution
+export function fixPrototypePollution(content) {
+  let modified = content;
+  modified = modified.replace(
+    /Object\.assign\(\s*\{\s*\}\s*,\s*([^)]+)\)/g,
+    (match, args) => {
+      if (/Object\.create\(null\)/.test(match)) return match;
+      return `Object.assign(Object.create(null), ${args})`;
+    },
+  );
+  return modified === content ? null : modified;
+}
+
+// 26. Replace string === comparison for secrets with crypto.timingSafeEqual
+export function fixTimingAttack(content) {
+  const secretKeywords = /secret|token|apiKey|api_key|password|hash|signature|hmac|digest/i;
+  const lines = content.split('\n');
+  let changed = false;
+
+  const result = lines.map((line) => {
+    if (/^\s*\/\//.test(line) || /^\s*\*/.test(line)) return line;
+    if (secretKeywords.test(line) && /===/.test(line) && !/timingSafeEqual/.test(line)) {
+      const m = line.match(/(\w+)\s*===\s*(\w+)/);
+      if (m) {
+        changed = true;
+        return line.replace(
+          /(\w+)\s*===\s*(\w+)/,
+          `crypto.timingSafeEqual(Buffer.from(${m[1]}), Buffer.from(${m[2]}))`,
+        );
+      }
+    }
+    return line;
+  }).join('\n');
+
+  return changed ? result : null;
+}
+
+// 27. Add path.resolve + startsWith check around fs operations with user input
+export function fixPathTraversal(content) {
+  const modified = content.replace(
+    /(fs\.(?:readFileSync|readFile|writeFileSync|writeFile|createReadStream|createWriteStream)\(\s*)(req\.(?:params|query|body)\.\w+|userPath|filePath|inputPath)/g,
+    (match, fsCall, pathVar) => {
+      return `/* SECURITY: path traversal guard */\n    const safePath = path.resolve(__dirname, ${pathVar});\n    if (!safePath.startsWith(path.resolve(__dirname))) throw new Error('Path traversal detected');\n    ${fsCall}safePath`;
+    },
+  );
+  return modified === content ? null : modified;
+}
+
+// 28. Add safe-regex wrapper to new RegExp(userInput)
+export function fixRegexDos(content) {
+  const modified = content.replace(
+    /new RegExp\((\s*(?:req\.(?:body|query|params)\.\w+|userInput|userPattern|pattern|input)\s*)\)/g,
+    (match, variable) => {
+      const trimmed = variable.trim();
+      return `/* SECURITY: sanitize regex input to prevent ReDoS */ new RegExp(${trimmed}.replace(/[.*+?^$\{\}()|[\\]\\\\]/g, '\\\\$&'))`;
+    },
+  );
+  return modified === content ? null : modified;
+}
+
+// 29. Add URL validation/whitelist before res.redirect(userInput)
+export function fixOpenRedirect(content) {
+  const modified = content.replace(
+    /res\.redirect\(\s*(req\.(?:query|body|params)\.\w+|redirectUrl|returnUrl)\s*\)/g,
+    (match, variable) => {
+      return `/* SECURITY: validate redirect URL to prevent open redirect */\n    const allowedHosts = [process.env.APP_HOST || 'localhost'];\n    const redirectTarget = new URL(${variable}, \`https://\${allowedHosts[0]}\`);\n    if (!allowedHosts.includes(redirectTarget.hostname)) { return res.redirect('/'); }\n    res.redirect(redirectTarget.pathname)`;
+    },
+  );
+  return modified === content ? null : modified;
+}
+
+// 30. Add express-rate-limit to route handlers
+export function fixNoRateLimit(content) {
+  if (!/\.(get|post|put|delete|patch)\s*\(/.test(content)) return null;
+  if (/rateLimit|rate.?limit/i.test(content)) return null;
+  if (!/express|router|app/.test(content)) return null;
+
+  let modified = content;
+  if (/require/.test(modified)) {
+    modified = `const rateLimit = require('express-rate-limit');\nconst limiter = rateLimit({ windowMs: 15 * 60 * 1000, max: 100 });\n${modified}`;
+  } else {
+    modified = `import rateLimit from 'express-rate-limit';\nconst limiter = rateLimit({ windowMs: 15 * 60 * 1000, max: 100 });\n${modified}`;
+  }
+  return modified === content ? null : modified;
+}
+
+// 31. Replace req.query.x in response with escaped version
+export function fixXssQueryParam(content) {
+  const modified = content.replace(
+    /(res\.(?:send|write|end)\(\s*)(req\.query\.\w+)(\s*\))/g,
+    (match, prefix, param, suffix) => {
+      return `${prefix}String(${param}).replace(/[<>&"']/g, c => ({ '<': '&lt;', '>': '&gt;', '&': '&amp;', '"': '&quot;', "'": '&#39;' })[c])${suffix}`;
+    },
+  );
+  return modified === content ? null : modified;
+}
+
+// 32. Replace hardcoded 0.0.0.0 with process.env.HOST
+export function fixHardcodedIp(content) {
+  const modified = content.replace(
+    /(['"])0\.0\.0\.0\1/g,
+    "process.env.HOST || '127.0.0.1'",
+  );
+  return modified === content ? null : modified;
+}
+
+// 33. Add CSP directives to existing helmet() call
+export function fixNoHelmetCsp(content) {
+  if (!/helmet\(\s*\)/.test(content)) return null;
+  if (/contentSecurityPolicy/.test(content)) return null;
+
+  const modified = content.replace(
+    /helmet\(\s*\)/g,
+    `helmet({ contentSecurityPolicy: { directives: { defaultSrc: ["'self'"], scriptSrc: ["'self'"], objectSrc: ["'none'"], upgradeInsecureRequests: [] } } })`,
+  );
+  return modified === content ? null : modified;
+}
+
+// 34. Replace string concat SQL with parameterized query
+export function fixSqlConcat(content) {
+  const modified = content.replace(
+    /(['"])(\s*SELECT\s+.+?FROM\s+\w+\s+WHERE\s+\w+\s*=\s*)['"]\s*\+\s*(\w+)/gi,
+    (match, quote, sqlPart, variable) => {
+      return `${quote}${sqlPart}?${quote}, [${variable}]`;
+    },
+  );
+  return modified === content ? null : modified;
+}
+
+// 35. Replace localStorage JWT storage with httpOnly cookie
+export function fixJwtStorageLocal(content) {
+  const modified = content.replace(
+    /localStorage\.setItem\(\s*(['"])(?:jwt|token|accessToken|access_token|authToken|auth_token)\1\s*,\s*([^)]+)\)/g,
+    (match, quote, tokenVar) => {
+      return `/* SECURITY: Do NOT store JWTs in localStorage - use httpOnly cookies instead */\n    // localStorage.setItem(${quote}token${quote}, ${tokenVar});\n    document.cookie = 'token=' + ${tokenVar} + '; Secure; SameSite=Strict; path=/'`;
+    },
+  );
+  return modified === content ? null : modified;
+}
+
+// 36. Replace origin: '*' with specific origins array
+export function fixCorsWildcard(content) {
+  const modified = content.replace(
+    /origin\s*:\s*(['"])\*\1/g,
+    "origin: [process.env.ALLOWED_ORIGIN || 'https://yourdomain.com']",
+  );
+  return modified === content ? null : modified;
+}
+
+// 37. Add basic input validation stub for req.body
+export function fixNoInputValidation(content) {
+  if (!/req\.body/.test(content)) return null;
+  if (/validate|schema|zod|joi|yup|ajv/i.test(content)) return null;
+  if (!/express|router|app/.test(content)) return null;
+
+  let modified = content;
+  modified = modified.replace(
+    /((?:app|router)\.(?:post|put|patch)\([^)]+,\s*(?:async\s+)?(?:function\s*)?\([^)]*\)\s*(?:=>)?\s*\{[^}]*)(req\.body)/,
+    (match, before, reqBody) => {
+      return `${before}/* TODO: Add input validation, e.g.:\n    const schema = Joi.object({ name: Joi.string().required() });\n    const { error, value } = schema.validate(req.body);\n    if (error) return res.status(400).json({ error: error.message });\n    */\n    ${reqBody}`;
+    },
+  );
+  return modified === content ? null : modified;
+}
+
+// 38. Replace console.error in catch with proper logger
+export function fixConsoleError(content) {
+  const lines = content.split('\n');
+  let changed = false;
+
+  const result = lines.map((line) => {
+    if (/^\s*\/\//.test(line)) return line;
+    if (/\bconsole\.error\s*\(/.test(line)) {
+      changed = true;
+      return line.replace(/\bconsole\.error\s*\(/, 'logger.error(');
+    }
+    return line;
+  }).join('\n');
+
+  return changed ? result : null;
+}
+
+// 39. Replace await-in-loop with Promise.all pattern
+export function fixAwaitInLoop(content) {
+  const modified = content.replace(
+    /for\s*\(\s*(?:const|let|var)\s+(\w+)\s+of\s+(\w+)\s*\)\s*\{([^}]*await\s+(\w+)\(([^)]*)\)[^}]*)\}/gs,
+    (match, item, collection, body) => {
+      if ((body.match(/await/g) || []).length > 1) return match;
+      return `/* PERF: parallelized sequential awaits */\nawait Promise.all(${collection}.map(async (${item}) => {\n${body}\n}))`;
+    },
+  );
+  return modified === content ? null : modified;
+}
+
+// 40. Add Express error handler middleware at end of app
+export function fixMissingErrorHandler(content) {
+  if (!/express\(\)/.test(content)) return null;
+  if (/err\s*,\s*req\s*,\s*res\s*,\s*next/.test(content)) return null;
+
+  let modified = content;
+  const errorHandler = `\n// SECURITY: Global error handler - do not leak stack traces\napp.use((err, req, res, next) => {\n  logger.error(err.message);\n  res.status(err.status || 500).json({ error: 'Internal server error' });\n});\n`;
+
+  if (/module\.exports/.test(modified)) {
+    modified = modified.replace(
+      /(module\.exports)/,
+      `${errorHandler}\n$1`,
+    );
+  } else if (/export\s+default/.test(modified)) {
+    modified = modified.replace(
+      /(export\s+default)/,
+      `${errorHandler}\n$1`,
+    );
+  } else {
+    modified = modified + errorHandler;
+  }
+  return modified === content ? null : modified;
+}
+
+// ---------------------------------------------------------------------------
+// Python auto-fix functions
+// ---------------------------------------------------------------------------
+
+// P1. Replace DEBUG = True with env-based config
+export function fixPythonDebugTrue(content) {
+  const modified = content.replace(
+    /^(\s*)DEBUG\s*=\s*True\s*$/gm,
+    `$1DEBUG = os.environ.get('DEBUG', 'False') == 'True'`,
+  );
+  return modified === content ? null : modified;
+}
+
+// P2. Replace hardcoded SECRET_KEY with env variable
+export function fixPythonHardcodedSecret(content) {
+  const modified = content.replace(
+    /^(\s*)SECRET_KEY\s*=\s*(['"])(?!os\.environ)[^'"]+\2\s*$/gm,
+    `$1SECRET_KEY = os.environ['SECRET_KEY']`,
+  );
+  return modified === content ? null : modified;
+}
+
+// P3. Replace subprocess.call(cmd, shell=True) with shlex.split
+export function fixPythonShellTrue(content) {
+  const modified = content.replace(
+    /subprocess\.call\((\w+),\s*shell\s*=\s*True\)/g,
+    'subprocess.call(shlex.split($1))',
+  );
+  return modified === content ? null : modified;
+}
+
+// P4. Replace eval(user_input) with ast.literal_eval
+export function fixPythonEval(content) {
+  const modified = content.replace(
+    /\beval\((\w+)\)/g,
+    'ast.literal_eval($1)',
+  );
+  return modified === content ? null : modified;
+}
+
+// P5. Replace pickle.loads(data) with json.loads(data)
+export function fixPythonPickleLoad(content) {
+  const modified = content.replace(
+    /pickle\.loads\((\w+)\)/g,
+    'json.loads($1)  # SECURITY: replaced unsafe pickle.loads with json.loads',
+  );
+  return modified === content ? null : modified;
+}
+
+// P6. Replace yaml.load(data) with yaml.safe_load(data)
+export function fixPythonYamlLoad(content) {
+  const modified = content.replace(
+    /yaml\.load\(([^)]+)\)/g,
+    (match, args) => {
+      // Don't replace if already safe_load
+      if (match.includes('safe_load')) return match;
+      return `yaml.safe_load(${args})`;
+    },
+  );
+  return modified === content ? null : modified;
+}
+
+// P7. Replace hashlib.md5( with hashlib.sha256(
+export function fixPythonMd5(content) {
+  const modified = content.replace(
+    /hashlib\.md5\(/g,
+    'hashlib.sha256(',
+  );
+  return modified === content ? null : modified;
+}
+
+// P8. Replace hashlib.sha1( with hashlib.sha256(
+export function fixPythonSha1(content) {
+  const modified = content.replace(
+    /hashlib\.sha1\(/g,
+    'hashlib.sha256(',
+  );
+  return modified === content ? null : modified;
+}
+
+// P9. Replace verify=False with verify=True in requests calls
+export function fixPythonRequestsNoVerify(content) {
+  const modified = content.replace(
+    /(requests\.(?:get|post|put|patch|delete|head|options)\([^)]*)\bverify\s*=\s*False/g,
+    '$1verify=True',
+  );
+  return modified === content ? null : modified;
+}
+
+// P10. Add timeout=30 to requests.get/post calls missing timeout
+export function fixPythonRequestsNoTimeout(content) {
+  const modified = content.replace(
+    /(requests\.(?:get|post|put|patch|delete)\([^)]*)\)(?!.*timeout)/g,
+    (match, prefix) => {
+      if (/timeout/.test(match)) return match;
+      // Check if there are existing kwargs
+      const hasArgs = prefix.includes(',');
+      return hasArgs ? `${prefix}, timeout=30)` : `${prefix}, timeout=30)`;
+    },
+  );
+  return modified === content ? null : modified;
+}
+
+// P11. Replace os.system(cmd) with subprocess.run(shlex.split(cmd), check=True)
+export function fixPythonOsSystem(content) {
+  const modified = content.replace(
+    /os\.system\((\w+)\)/g,
+    'subprocess.run(shlex.split($1), check=True)',
+  );
+  return modified === content ? null : modified;
+}
+
+// P12. Replace random.randint with secrets.randbelow in security contexts
+export function fixPythonInsecureRandom(content) {
+  const lines = content.split('\n');
+  let changed = false;
+  const securityKeywords = /token|secret|key|password|auth|session|csrf|nonce|salt|otp|pin|code/i;
+
+  const result = lines.map((line) => {
+    if (/random\.randint\(/.test(line) && securityKeywords.test(line)) {
+      changed = true;
+      return line.replace(
+        /random\.randint\(\s*\d+\s*,\s*(\w+|\d+)\s*\)/g,
+        'secrets.randbelow($1)',
+      );
+    }
+    return line;
+  }).join('\n');
+
+  return changed ? result : null;
+}
+
+// P13. Replace cursor.execute("SELECT... %s" % var) with parameterized query
+export function fixPythonSqlFormat(content) {
+  const modified = content.replace(
+    /cursor\.execute\(\s*"([^"]*%s[^"]*)"\s*%\s*(\w+)\s*\)/g,
+    'cursor.execute("$1", ($2,))',
+  );
+  return modified === content ? null : modified;
+}
+
+// P14. Replace app.run(debug=True) with env-based debug
+export function fixPythonFlaskDebug(content) {
+  const modified = content.replace(
+    /app\.run\(([^)]*)debug\s*=\s*True([^)]*)\)/g,
+    `app.run($1debug=os.environ.get('FLASK_DEBUG', False)$2)`,
+  );
+  return modified === content ? null : modified;
+}
+
+// P15. Replace tempfile.mktemp() with tempfile.mkstemp()
+export function fixPythonMktemp(content) {
+  const modified = content.replace(
+    /tempfile\.mktemp\(\)/g,
+    'tempfile.mkstemp()',
+  );
+  return modified === content ? null : modified;
+}
+
+// P16. Add Py2/Py3 safety comment for input()
+export function fixPythonInputPy2(content) {
+  const modified = content.replace(
+    /^(\s*)(\w+\s*=\s*)input\(([^)]*)\)/gm,
+    '$1$2input($3)  # NOTE: In Python 2, use raw_input() instead of input() for safety',
+  );
+  return modified === content ? null : modified;
+}
+
+// P17. Replace assert for security checks with proper if/raise
+export function fixPythonAssertSecurity(content) {
+  const modified = content.replace(
+    /^(\s*)assert\s+(user\.\w+|is_admin|is_authenticated|has_permission\([^)]*\))/gm,
+    '$1if not $2:\n$1    raise PermissionError("Access denied")',
+  );
+  return modified === content ? null : modified;
+}
+
+// P18. Replace 0.0.0.0 with 127.0.0.1 in bind calls
+export function fixPythonBindAllInterfaces(content) {
+  const modified = content.replace(
+    /(\.(?:bind|run|listen)\([^)]*)(["'])0\.0\.0\.0\2/g,
+    '$1$2127.0.0.1$2',
+  );
+  return modified === content ? null : modified;
+}
+
+// P19. Replace etree.parse( with defusedxml.parse(
+export function fixPythonXmlParse(content) {
+  const modified = content.replace(
+    /etree\.parse\(/g,
+    'defusedxml.parse(',
+  );
+  return modified === content ? null : modified;
+}
+
+// P20. Replace render_template_string(user_data) with safe version
+export function fixPythonRenderTemplateString(content) {
+  const modified = content.replace(
+    /render_template_string\((\w+)\)/g,
+    'render_template_string(safe_template, data=$1)',
+  );
+  return modified === content ? null : modified;
+}
+
+// ---------------------------------------------------------------------------
+// Go auto-fix functions
+// ---------------------------------------------------------------------------
+
+// G1. Replace db.Query(fmt.Sprintf("...%s", var)) with parameterized query
+export function fixGoFmtSprintfSql(content) {
+  const modified = content.replace(
+    /db\.Query\(\s*fmt\.Sprintf\(\s*"([^"]*?)%s([^"]*?)"\s*,\s*(\w+)\s*\)\s*\)/g,
+    (match, before, after, variable) => {
+      return `db.Query("${before}$1${after}", ${variable})`;
+    },
+  );
+  return modified === content ? null : modified;
+}
+
+// G2. Replace InsecureSkipVerify: true with false
+export function fixGoInsecureSkipVerify(content) {
+  const modified = content.replace(
+    /InsecureSkipVerify:\s*true/g,
+    'InsecureSkipVerify: false',
+  );
+  return modified === content ? null : modified;
+}
+
+// G3. Replace crypto/md5 import with crypto/sha256
+export function fixGoMd5Import(content) {
+  const modified = content.replace(
+    /"crypto\/md5"/g,
+    '"crypto/sha256"',
+  );
+  return modified === content ? null : modified;
+}
+
+// G4. Replace result, _ := someFunc() with result, err := someFunc() + error check
+export function fixGoIgnoredError(content) {
+  const modified = content.replace(
+    /^(\s*)(\w+),\s*_\s*:=\s*(.+)$/gm,
+    (match, indent, result, call) => {
+      return `${indent}${result}, err := ${call}\n${indent}if err != nil {\n${indent}\treturn err\n${indent}}`;
+    },
+  );
+  return modified === content ? null : modified;
+}
+
+// G5. Add Timeout to &http.Client{}
+export function fixGoHttpNoTimeout(content) {
+  const modified = content.replace(
+    /&http\.Client\{\s*\}/g,
+    '&http.Client{Timeout: 30 * time.Second}',
+  );
+  return modified === content ? null : modified;
+}
+
+// G6. Replace :8080 with 127.0.0.1:8080 in net.Listen
+export function fixGoBindAllInterfaces(content) {
+  const modified = content.replace(
+    /(net\.Listen\(\s*"[^"]*"\s*,\s*"):(\d+"\s*\))/g,
+    '$1127.0.0.1:$2',
+  );
+  return modified === content ? null : modified;
+}
+
+// G7. Replace template.HTML(userInput) with template.HTMLEscapeString(userInput)
+export function fixGoTemplateHtml(content) {
+  const modified = content.replace(
+    /template\.HTML\((\w+)\)/g,
+    'template.HTMLEscapeString($1)',
+  );
+  return modified === content ? null : modified;
+}
+
+// G8. Add comment warning when exec.Command uses variable
+export function fixGoExecCommand(content) {
+  const lines = content.split('\n');
+  let changed = false;
+  const result = lines.map((line) => {
+    if (/exec\.Command\(/.test(line) && !/exec\.Command\(\s*"[^"]*"\s*\)/.test(line) && !/SECURITY/.test(line)) {
+      changed = true;
+      return `/* SECURITY: exec.Command with variable input — validate/sanitize before use */ ${line}`;
+    }
+    return line;
+  }).join('\n');
+  return changed ? result : null;
+}
+
+// G9. Replace math/rand with crypto/rand in security contexts
+export function fixGoWeakRand(content) {
+  const modified = content.replace(
+    /"math\/rand"/g,
+    '"crypto/rand"',
+  );
+  return modified === content ? null : modified;
+}
+
+// G10. Replace defer f.Close() with defer func() { _ = f.Close() }()
+export function fixGoDeferClose(content) {
+  const modified = content.replace(
+    /defer\s+(\w+)\.Close\(\)/g,
+    'defer func() { _ = $1.Close() }()',
+  );
+  return modified === content ? null : modified;
+}
+
+// ---------------------------------------------------------------------------
+// Ruby auto-fix functions
+// ---------------------------------------------------------------------------
+
+// R1. Replace find_by_sql("...#{var}") with parameterized version
+export function fixRubyFindBySql(content) {
+  const modified = content.replace(
+    /find_by_sql\(\s*"([^"]*?)#\{(\w+)\}([^"]*?)"\s*\)/g,
+    (match, before, variable, after) => {
+      return `find_by_sql(["${before}?${after}", ${variable}])`;
+    },
+  );
+  return modified === content ? null : modified;
+}
+
+// R2. Replace .html_safe with sanitize() wrapper
+export function fixRubyHtmlSafe(content) {
+  const modified = content.replace(
+    /(\w+(?:\.\w+)*)\.html_safe/g,
+    'sanitize($1)',
+  );
+  return modified === content ? null : modified;
+}
+
+// R3. Replace system("cmd #{var}") with system("cmd", var)
+export function fixRubySystemCall(content) {
+  const modified = content.replace(
+    /system\(\s*"([^"]*?)#\{(\w+)\}([^"]*?)"\s*\)/g,
+    (match, before, variable, after) => {
+      const cmd = (before + after).trim();
+      return `system("${cmd}", ${variable})`;
+    },
+  );
+  return modified === content ? null : modified;
+}
+
+// R4. Replace YAML.load( with YAML.safe_load(
+export function fixRubyYamlLoad(content) {
+  const modified = content.replace(
+    /YAML\.load\(/g,
+    'YAML.safe_load(',
+  );
+  return modified === content ? null : modified;
+}
+
+// R5. Add warning comment to Marshal.load usage
+export function fixRubyMarshalLoad(content) {
+  const lines = content.split('\n');
+  let changed = false;
+  const result = lines.map((line) => {
+    if (/Marshal\.load\(/.test(line) && !/SECURITY/.test(line)) {
+      changed = true;
+      return `# SECURITY WARNING: Marshal.load can execute arbitrary code — use JSON.parse instead\n${line}`;
+    }
+    return line;
+  }).join('\n');
+  return changed ? result : null;
+}
+
+// R6. Replace permit! with permit(:specific_fields) + TODO comment
+export function fixRubyPermitAll(content) {
+  const modified = content.replace(
+    /\.permit!/g,
+    '.permit(:id) # TODO: replace :id with actual permitted fields',
+  );
+  return modified === content ? null : modified;
+}
+
+// R7. Comment out skip_forgery_protection with warning
+export function fixRubySkipCsrf(content) {
+  const modified = content.replace(
+    /^(\s*)(skip_forgery_protection.*)/gm,
+    '$1# SECURITY WARNING: CSRF protection disabled — re-enable in production\n$1# $2',
+  );
+  return modified === content ? null : modified;
+}
+
+// R8. Replace eval(user_input) with safer alternative + comment
+export function fixRubyEval(content) {
+  const modified = content.replace(
+    /\beval\((\w+)\)/g,
+    '# SECURITY: eval is unsafe — use a sandboxed evaluator or whitelist approach\nJSON.parse($1) # TODO: replace with appropriate safe alternative',
+  );
+  return modified === content ? null : modified;
+}
+
+// R9. Replace open(url) with URI.open(url)
+export function fixRubyOpenUri(content) {
+  const modified = content.replace(
+    /(?<!\w)(?<!\.)open\((\s*(?:url|uri|link|\w+_url|\w+_uri)\s*)\)/gi,
+    'URI.open($1)',
+  );
+  return modified === content ? null : modified;
+}
+
+// R10. Replace Digest::MD5 with Digest::SHA256
+export function fixRubyWeakHash(content) {
+  const modified = content.replace(
+    /Digest::MD5/g,
+    'Digest::SHA256',
+  );
+  return modified === content ? null : modified;
+}
+
+// ---------------------------------------------------------------------------
+// PHP auto-fix functions
+// ---------------------------------------------------------------------------
+
+// P1. Replace mysql_query("...{$var}") with PDO prepared statement
+export function fixPhpMysqlQuery(content) {
+  const modified = content.replace(
+    /mysql_query\(\s*"([^"]*?)\{\$(\w+)\}([^"]*?)"\s*\)/g,
+    (match, before, variable, after) => {
+      return `$stmt = $pdo->prepare("${before}?${after}"); $stmt->execute([$${variable}])`;
+    },
+  );
+  return modified === content ? null : modified;
+}
+
+// P2. Replace echo $_GET['x'] with echo htmlspecialchars($_GET['x'])
+export function fixPhpEcho(content) {
+  const modified = content.replace(
+    /echo\s+(\$_(?:GET|POST|REQUEST)\s*\[\s*['"][^'"]+['"]\s*\])/g,
+    (match, variable) => {
+      if (match.includes('htmlspecialchars')) return match;
+      return `echo htmlspecialchars(${variable}, ENT_QUOTES, 'UTF-8')`;
+    },
+  );
+  return modified === content ? null : modified;
+}
+
+// P3. Add security warning comment to eval() usage (PHP)
+export function fixPhpEval(content) {
+  const lines = content.split('\n');
+  let changed = false;
+  const result = lines.map((line) => {
+    if (/\beval\s*\(/.test(line) && !/SECURITY/.test(line)) {
+      changed = true;
+      return `/* SECURITY WARNING: eval() executes arbitrary code — remove or replace with safe alternative */ ${line}`;
+    }
+    return line;
+  }).join('\n');
+  return changed ? result : null;
+}
+
+// P4. Replace exec($cmd) with escapeshellarg() wrapped version
+export function fixPhpExec(content) {
+  const modified = content.replace(
+    /\bexec\(\s*(\$\w+)\s*\)/g,
+    'exec(escapeshellcmd(escapeshellarg($1)))',
+  );
+  return modified === content ? null : modified;
+}
+
+// P5. Replace md5($password) with password_hash($password, PASSWORD_DEFAULT)
+export function fixPhpMd5Password(content) {
+  const modified = content.replace(
+    /md5\(\s*(\$password|\$pass|\$passwd|\$pwd)\s*\)/g,
+    'password_hash($1, PASSWORD_DEFAULT)',
+  );
+  return modified === content ? null : modified;
+}
+
+// P6. Replace extract($_POST) with explicit variable assignment
+export function fixPhpExtract(content) {
+  const modified = content.replace(
+    /extract\(\s*(\$_(POST|GET|REQUEST))\s*\)/g,
+    (match, superglobal) => {
+      return `/* SECURITY: extract() replaced — assign variables explicitly */\n// TODO: Replace with explicit assignments, e.g.: $name = ${superglobal}['name'];\n// extract(${superglobal})`;
+    },
+  );
+  return modified === content ? null : modified;
+}
+
+// P7. Replace == with === in auth contexts (PHP)
+export function fixPhpLooseComparison(content) {
+  const authKeywords = /password|token|secret|auth|session|user|role|admin|login|hash/i;
+  const lines = content.split('\n');
+  let changed = false;
+  const result = lines.map((line) => {
+    if (/^\s*\/\//.test(line) || /^\s*\/\*/.test(line) || /^\s*\*/.test(line) || /^\s*#/.test(line)) return line;
+    if (authKeywords.test(line) && /[^!=<>]==[^=]/.test(line)) {
+      changed = true;
+      return line.replace(/([^!=<>])={2}([^=])/g, '$1===$2');
+    }
+    return line;
+  }).join('\n');
+  return changed ? result : null;
+}
+
+// P8. Add session.cookie_httponly and session.cookie_secure
+export function fixPhpSessionConfig(content) {
+  if (!/session_start\s*\(/.test(content)) return null;
+  if (/cookie_httponly/.test(content) && /cookie_secure/.test(content)) return null;
+  const modified = content.replace(
+    /session_start\s*\(\s*\)/g,
+    "ini_set('session.cookie_httponly', 1); ini_set('session.cookie_secure', 1); session_start()",
+  );
+  return modified === content ? null : modified;
+}
+
+// P9. Add ['allowed_classes' => false] to unserialize()
+export function fixPhpUnserialize(content) {
+  const modified = content.replace(
+    /unserialize\(\s*(\$\w+)\s*\)/g,
+    "unserialize($1, ['allowed_classes' => false])",
+  );
+  return modified === content ? null : modified;
+}
+
+// P10. Add warning to include($_GET[...]) with whitelist suggestion
+export function fixPhpInclude(content) {
+  const modified = content.replace(
+    /^(\s*)((?:include|require)(?:_once)?\s*\(\s*\$_(?:GET|POST|REQUEST)\s*\[.*?\]\s*\))/gm,
+    '$1/* SECURITY: Never include files from user input — use a whitelist of allowed paths */\n$1// $2',
+  );
+  return modified === content ? null : modified;
+}
+
+/**
+ * Registry of all pattern-based fix functions, keyed by fix ID.
+ */
+export const patternFixes = {
+  'fix-eval': { fn: fixEval, tier: 2, title: 'Replace eval() with safer alternative' },
+  'fix-math-random': { fn: fixMathRandom, tier: 1, title: 'Replace Math.random() with crypto.randomUUID()' },
+  'fix-cookie-flags': { fn: fixCookieFlags, tier: 1, title: 'Add httpOnly/secure/sameSite to cookies' },
+  'fix-http-urls': { fn: fixHttpUrls, tier: 1, title: 'Replace http:// with https://' },
+  'fix-helmet-missing': { fn: fixHelmetMissing, tier: 1, title: 'Add helmet() middleware' },
+  'fix-loose-equality': { fn: fixLooseEquality, tier: 1, title: 'Replace == with === in auth comparisons' },
+  'fix-jwt-verify-alg': { fn: fixJwtVerifyAlgorithm, tier: 1, title: 'Add algorithms option to jwt.verify()' },
+  'fix-weak-hash': { fn: fixWeakHash, tier: 1, title: 'Replace MD5/SHA1 with SHA256' },
+  'fix-sql-terminator': { fn: fixSqlTerminator, tier: 2, title: 'Add SQL comment terminator' },
+  'fix-exec-to-execfile': { fn: fixExecToExecFile, tier: 2, title: 'Replace exec() with execFile()' },
+  'fix-jwt-sign-expiry': { fn: fixJwtSignExpiry, tier: 1, title: 'Add expiresIn to jwt.sign()' },
+  'fix-rate-limit': { fn: fixRateLimitMissing, tier: 2, title: 'Add rate-limit middleware' },
+  'fix-json-parse-body': { fn: fixJsonParseReqBody, tier: 2, title: 'Replace JSON.parse(req.body) with body-parser' },
+  'fix-sql-escape': { fn: fixSqlEscape, tier: 2, title: 'Add escape() to SQL user input' },
+  'fix-csp-header': { fn: fixContentSecurityPolicy, tier: 1, title: 'Add Content-Security-Policy via helmet' },
+  'fix-console-log': { fn: fixConsoleLog, tier: 1, title: 'Replace console.log with logger' },
+  'fix-ts-return-type': { fn: fixTsReturnType, tier: 1, title: 'Add return type to exported TS functions' },
+  'fix-var-to-const': { fn: fixVarToConstLet, tier: 1, title: 'Convert var to const/let' },
+  'fix-empty-catch': { fn: fixEmptyCatch, tier: 1, title: 'Add error parameter to empty catch blocks' },
+  'fix-callback-to-async': { fn: fixCallbackToAsync, tier: 2, title: 'Convert callback-style to async/await' },
+  'fix-python-debug-true': { fn: fixPythonDebugTrue, tier: 1, title: 'Replace Python DEBUG = True with env-based config' },
+  'fix-python-hardcoded-secret': { fn: fixPythonHardcodedSecret, tier: 1, title: 'Replace hardcoded SECRET_KEY with os.environ' },
+  'fix-python-shell-true': { fn: fixPythonShellTrue, tier: 2, title: 'Replace subprocess shell=True with shlex.split' },
+  'fix-python-eval': { fn: fixPythonEval, tier: 2, title: 'Replace Python eval() with ast.literal_eval()' },
+  'fix-python-pickle-load': { fn: fixPythonPickleLoad, tier: 2, title: 'Replace pickle.loads() with json.loads()' },
+  'fix-python-yaml-load': { fn: fixPythonYamlLoad, tier: 1, title: 'Replace yaml.load() with yaml.safe_load()' },
+  'fix-python-md5': { fn: fixPythonMd5, tier: 1, title: 'Replace hashlib.md5 with hashlib.sha256' },
+  'fix-python-sha1': { fn: fixPythonSha1, tier: 1, title: 'Replace hashlib.sha1 with hashlib.sha256' },
+  'fix-python-requests-no-verify': { fn: fixPythonRequestsNoVerify, tier: 1, title: 'Replace verify=False with verify=True in requests' },
+  'fix-python-requests-no-timeout': { fn: fixPythonRequestsNoTimeout, tier: 1, title: 'Add timeout to requests calls' },
+  'fix-python-os-system': { fn: fixPythonOsSystem, tier: 2, title: 'Replace os.system() with subprocess.run()' },
+  'fix-python-insecure-random': { fn: fixPythonInsecureRandom, tier: 2, title: 'Replace random.randint with secrets.randbelow' },
+  'fix-python-sql-format': { fn: fixPythonSqlFormat, tier: 2, title: 'Replace string-formatted SQL with parameterized query' },
+  'fix-python-flask-debug': { fn: fixPythonFlaskDebug, tier: 1, title: 'Replace Flask debug=True with env-based config' },
+  'fix-python-mktemp': { fn: fixPythonMktemp, tier: 1, title: 'Replace tempfile.mktemp() with tempfile.mkstemp()' },
+  'fix-python-input-py2': { fn: fixPythonInputPy2, tier: 1, title: 'Add Python 2 safety comment for input()' },
+  'fix-python-assert-security': { fn: fixPythonAssertSecurity, tier: 2, title: 'Replace assert with proper permission check' },
+  'fix-python-bind-all-interfaces': { fn: fixPythonBindAllInterfaces, tier: 1, title: 'Replace 0.0.0.0 with 127.0.0.1 in bind calls' },
+  'fix-python-xml-parse': { fn: fixPythonXmlParse, tier: 2, title: 'Replace etree.parse with defusedxml.parse' },
+  'fix-python-render-template-string': { fn: fixPythonRenderTemplateString, tier: 2, title: 'Replace render_template_string with safe version' },
+  // Go fixes
+  'fix-go-fmt-sprintf-sql': { fn: fixGoFmtSprintfSql, tier: 2, title: 'Replace fmt.Sprintf SQL with parameterized query' },
+  'fix-go-insecure-skip-verify': { fn: fixGoInsecureSkipVerify, tier: 1, title: 'Disable InsecureSkipVerify in TLS config' },
+  'fix-go-md5-import': { fn: fixGoMd5Import, tier: 1, title: 'Replace crypto/md5 with crypto/sha256' },
+  'fix-go-ignored-error': { fn: fixGoIgnoredError, tier: 2, title: 'Handle ignored Go error return values' },
+  'fix-go-http-no-timeout': { fn: fixGoHttpNoTimeout, tier: 1, title: 'Add timeout to http.Client' },
+  'fix-go-bind-all-interfaces': { fn: fixGoBindAllInterfaces, tier: 1, title: 'Replace :port with 127.0.0.1:port in net.Listen' },
+  'fix-go-template-html': { fn: fixGoTemplateHtml, tier: 2, title: 'Replace template.HTML with HTMLEscapeString' },
+  'fix-go-exec-command': { fn: fixGoExecCommand, tier: 2, title: 'Add warning to exec.Command with variable input' },
+  'fix-go-weak-rand': { fn: fixGoWeakRand, tier: 1, title: 'Replace math/rand with crypto/rand' },
+  'fix-go-defer-close': { fn: fixGoDeferClose, tier: 1, title: 'Wrap defer Close() in anonymous function' },
+  // Ruby fixes
+  'fix-ruby-find-by-sql': { fn: fixRubyFindBySql, tier: 2, title: 'Replace find_by_sql interpolation with parameterized query' },
+  'fix-ruby-html-safe': { fn: fixRubyHtmlSafe, tier: 2, title: 'Replace html_safe with sanitize()' },
+  'fix-ruby-system-call': { fn: fixRubySystemCall, tier: 2, title: 'Replace system() interpolation with argument list' },
+  'fix-ruby-yaml-load': { fn: fixRubyYamlLoad, tier: 1, title: 'Replace YAML.load with YAML.safe_load' },
+  'fix-ruby-marshal-load': { fn: fixRubyMarshalLoad, tier: 2, title: 'Add warning to Marshal.load usage' },
+  'fix-ruby-permit-all': { fn: fixRubyPermitAll, tier: 2, title: 'Replace permit! with explicit field list' },
+  'fix-ruby-skip-csrf': { fn: fixRubySkipCsrf, tier: 2, title: 'Comment out skip_forgery_protection' },
+  'fix-ruby-eval': { fn: fixRubyEval, tier: 2, title: 'Replace Ruby eval() with safer alternative' },
+  'fix-ruby-open-uri': { fn: fixRubyOpenUri, tier: 1, title: 'Replace open(url) with URI.open(url)' },
+  'fix-ruby-weak-hash': { fn: fixRubyWeakHash, tier: 1, title: 'Replace Digest::MD5 with Digest::SHA256' },
+  // PHP fixes
+  'fix-php-mysql-query': { fn: fixPhpMysqlQuery, tier: 2, title: 'Replace mysql_query with PDO prepared statement' },
+  'fix-php-echo': { fn: fixPhpEcho, tier: 1, title: 'Add htmlspecialchars to echoed user input' },
+  'fix-php-eval': { fn: fixPhpEval, tier: 2, title: 'Add security warning to PHP eval()' },
+  'fix-php-exec': { fn: fixPhpExec, tier: 2, title: 'Add escapeshellarg to exec() calls' },
+  'fix-php-md5-password': { fn: fixPhpMd5Password, tier: 1, title: 'Replace md5() with password_hash()' },
+  'fix-php-extract': { fn: fixPhpExtract, tier: 2, title: 'Replace extract() with explicit assignments' },
+  'fix-php-loose-comparison': { fn: fixPhpLooseComparison, tier: 1, title: 'Replace == with === in PHP auth contexts' },
+  'fix-php-session-config': { fn: fixPhpSessionConfig, tier: 1, title: 'Add secure session cookie settings' },
+  'fix-php-unserialize': { fn: fixPhpUnserialize, tier: 2, title: 'Add allowed_classes restriction to unserialize()' },
+  'fix-php-include': { fn: fixPhpInclude, tier: 2, title: 'Add warning to include with user input' },
+  // Advanced JS/TS fixes (21-40)
+  'fix-dangerously-set-innerhtml': { fn: fixDangerouslySetInnerHTML, tier: 2, title: 'Wrap dangerouslySetInnerHTML with DOMPurify.sanitize' },
+  'fix-document-write': { fn: fixDocumentWrite, tier: 2, title: 'Replace document.write with textContent' },
+  'fix-innerHTML': { fn: fixInnerHTML, tier: 2, title: 'Replace innerHTML with textContent' },
+  'fix-nosql-injection': { fn: fixNoSqlInjection, tier: 2, title: 'Replace unsafe $where with safe MongoDB query' },
+  'fix-prototype-pollution': { fn: fixPrototypePollution, tier: 2, title: 'Add null prototype to Object.assign' },
+  'fix-timing-attack': { fn: fixTimingAttack, tier: 2, title: 'Replace === with crypto.timingSafeEqual for secrets' },
+  'fix-path-traversal': { fn: fixPathTraversal, tier: 2, title: 'Add path traversal guard to fs operations' },
+  'fix-regex-dos': { fn: fixRegexDos, tier: 2, title: 'Sanitize user input in RegExp constructor' },
+  'fix-open-redirect': { fn: fixOpenRedirect, tier: 2, title: 'Add URL validation before redirect' },
+  'fix-no-rate-limit': { fn: fixNoRateLimit, tier: 2, title: 'Add express-rate-limit to route handlers' },
+  'fix-xss-query-param': { fn: fixXssQueryParam, tier: 2, title: 'Escape req.query in response output' },
+  'fix-hardcoded-ip': { fn: fixHardcodedIp, tier: 1, title: 'Replace hardcoded 0.0.0.0 with env-based host' },
+  'fix-no-helmet-csp': { fn: fixNoHelmetCsp, tier: 1, title: 'Add CSP directives to helmet()' },
+  'fix-sql-concat': { fn: fixSqlConcat, tier: 2, title: 'Replace SQL string concat with parameterized query' },
+  'fix-jwt-storage-local': { fn: fixJwtStorageLocal, tier: 2, title: 'Replace localStorage JWT with httpOnly cookie' },
+  'fix-cors-wildcard': { fn: fixCorsWildcard, tier: 1, title: 'Replace CORS origin wildcard with specific origins' },
+  'fix-no-input-validation': { fn: fixNoInputValidation, tier: 2, title: 'Add input validation stub for req.body' },
+  'fix-console-error': { fn: fixConsoleError, tier: 1, title: 'Replace console.error with logger.error' },
+  'fix-await-in-loop': { fn: fixAwaitInLoop, tier: 2, title: 'Replace await-in-loop with Promise.all' },
+  'fix-missing-error-handler': { fn: fixMissingErrorHandler, tier: 2, title: 'Add Express error handler middleware' },
+  // --- Data-driven registry fixes (340 entries) ---
+  ...registryPatternFixes,
+};
+
+/**
+ * Apply a pattern-based fix by ID. Returns { content, applied } or null.
+ *
+ * @param {string} fixId - The fix identifier from patternFixes registry.
+ * @param {string} content - The file content to transform.
+ * @param {object} [finding] - Optional finding context.
+ * @returns {{ content: string, applied: boolean } | null}
+ */
+export function applyPatternFix(fixId, content, finding = {}) {
+  const entry = patternFixes[fixId];
+  if (!entry) return null;
+  const result = entry.fn(content, finding);
+  if (result === null) return { content, applied: false };
+  return { content: result, applied: true };
+}
+
+/**
+ * Auto-detect which pattern fixes apply to the given content and apply all of them.
+ * Returns { content, appliedFixes: string[] }.
+ */
+export function applyAllPatternFixes(content, finding = {}) {
+  let current = content;
+  const appliedFixes = [];
+
+  for (const [id, entry] of Object.entries(patternFixes)) {
+    const result = entry.fn(current, finding);
+    if (result !== null) {
+      current = result;
+      appliedFixes.push(id);
+    }
+  }
+
+  return { content: current, appliedFixes };
+}
+
+/**
+ * Generate a unified diff string between old and new content (for --dry-run).
+ */
+export function generateDiff(oldContent, newContent, filename = 'file') {
+  const oldLines = oldContent.split('\n');
+  const newLines = newContent.split('\n');
+  const diff = [];
+
+  diff.push(`--- a/${filename}`);
+  diff.push(`+++ b/${filename}`);
+
+  // Simple line-by-line diff
+  const maxLen = Math.max(oldLines.length, newLines.length);
+  let inHunk = false;
+  let hunkStart = -1;
+
+  for (let i = 0; i < maxLen; i++) {
+    const oldLine = i < oldLines.length ? oldLines[i] : undefined;
+    const newLine = i < newLines.length ? newLines[i] : undefined;
+
+    if (oldLine !== newLine) {
+      if (!inHunk) {
+        hunkStart = Math.max(0, i - 2);
+        diff.push(`@@ -${hunkStart + 1},${oldLines.length - hunkStart} +${hunkStart + 1},${newLines.length - hunkStart} @@`);
+        // Context lines before
+        for (let j = hunkStart; j < i; j++) {
+          if (j < oldLines.length) diff.push(` ${oldLines[j]}`);
+        }
+        inHunk = true;
+      }
+      if (oldLine !== undefined) diff.push(`-${oldLine}`);
+      if (newLine !== undefined) diff.push(`+${newLine}`);
+    } else {
+      if (inHunk) {
+        // One context line after
+        if (oldLine !== undefined) diff.push(` ${oldLine}`);
+        inHunk = false;
+      }
+    }
+  }
+
+  return diff.join('\n');
+}
+
+const TIER_LABELS = {
+  1: chalk.green('safe'),
+  2: chalk.yellow('review'),
+  3: chalk.red('manual'),
+};
+
+const TIER_DESCRIPTIONS = {
+  1: 'Auto-applied without confirmation',
+  2: 'Requires review and confirmation',
+  3: 'Manual changes only — instructions provided',
+};
+
+/**
+ * Classify a finding into its fix tier.
+ * Tier 1 (safe):   Config changes, headers, .gitignore, creating security files.
+ * Tier 2 (review): Code changes like parameterized queries, bcrypt swaps.
+ * Tier 3 (manual): Architecture changes — never auto-applied.
+ */
+function getTier(finding) {
+  return finding.fix?.tier ?? 2;
+}
+
+/**
+ * Generate a unified-diff-style preview for a fix.
+ */
+function formatDiff(fix, file) {
+  const lines = [];
+  if (fix.type === 'replace' && fix.old && fix.new) {
+    lines.push(chalk.gray(`  --- a/${file}`));
+    lines.push(chalk.gray(`  +++ b/${file}`));
+    for (const l of fix.old.split('\n')) {
+      lines.push(chalk.red(`  - ${l}`));
+    }
+    for (const l of fix.new.split('\n')) {
+      lines.push(chalk.green(`  + ${l}`));
+    }
+  } else if (fix.type === 'insert' && fix.content) {
+    lines.push(chalk.gray(`  --- a/${file}`));
+    lines.push(chalk.gray(`  +++ b/${file}`));
+    for (const l of fix.content.split('\n')) {
+      lines.push(chalk.green(`  + ${l}`));
+    }
+  } else if (fix.type === 'create') {
+    lines.push(chalk.gray(`  +++ b/${fix.filePath}`));
+    for (const l of (fix.content || '').split('\n').slice(0, 10)) {
+      lines.push(chalk.green(`  + ${l}`));
+    }
+    const total = (fix.content || '').split('\n').length;
+    if (total > 10) {
+      lines.push(chalk.gray(`  ... (${total - 10} more lines)`));
+    }
+  }
+  return lines.join('\n');
+}
+
+/**
+ * Show a progress indicator: [3/10] style.
+ */
+function progress(current, total, label) {
+  const bar = '='.repeat(Math.round((current / total) * 20)).padEnd(20, ' ');
+  return `  [${bar}] ${current}/${total} ${label}`;
+}
+
+/**
+ * Check if a file is safe to modify (exists, under size limit).
+ */
+function isSafeToModify(fullPath) {
+  try {
+    const stat = statSync(fullPath);
+    if (stat.size > MAX_FILE_SIZE) {
+      return { safe: false, reason: `file exceeds ${MAX_FILE_SIZE / 1024}KB limit (${Math.round(stat.size / 1024)}KB)` };
+    }
+    return { safe: true };
+  } catch {
+    return { safe: false, reason: 'file not found' };
+  }
+}
+
+/**
+ * After applying a fix, re-read the file and verify the triggering pattern is gone.
+ */
+function verifyFix(fullPath, fix) {
+  if (fix.type === 'create') {
+    return existsSync(join(fullPath, '..', fix.filePath)) || existsSync(fix.filePath);
+  }
+  if (fix.type === 'replace' && fix.old) {
+    try {
+      const content = readFileSync(fullPath, 'utf-8');
+      return !content.includes(fix.old);
+    } catch {
+      return false;
+    }
+  }
+  return true; // inserts are assumed verified
+}
+
+/**
+ * Count total lines changed across all applied fixes.
+ */
+function countLinesChanged(appliedFixes) {
+  let added = 0;
+  let removed = 0;
+  for (const fix of appliedFixes) {
+    if (fix.type === 'replace') {
+      const oldText = fix.old || '';
+      const newText = fix.new || '';
+      removed += oldText === '' ? 0 : oldText.split('\n').length;
+      added += newText === '' ? 0 : newText.split('\n').length;
+    } else if (fix.type === 'insert') {
+      const text = fix.content || '';
+      added += text === '' ? 0 : text.split('\n').length;
+    } else if (fix.type === 'create') {
+      const text = fix.content || '';
+      added += text === '' ? 0 : text.split('\n').length;
+    }
+  }
+  return { added, removed };
+}
+
+/**
+ * Create a git stash backup before applying fixes.
+ * Returns true if stash was created.
+ */
+function createBackup(targetPath) {
+  try {
+    const before = execSync('git stash list', { cwd: targetPath, stdio: 'pipe' }).toString();
+    execSync('git stash push -m "doorman-backup-before-fix"', {
+      cwd: targetPath,
+      stdio: 'pipe',
+    });
+    const after = execSync('git stash list', { cwd: targetPath, stdio: 'pipe' }).toString();
+    // If stash list didn't change, there was nothing to stash
+    return before !== after;
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Pop the most recent doorman backup from git stash.
+ */
+function rollback(targetPath, silent) {
+  try {
+    const list = execSync('git stash list', { cwd: targetPath, stdio: 'pipe' }).toString();
+    const match = list.match(/stash@\{(\d+)\}.*doorman-backup-before-fix/);
+    if (!match) {
+      if (!silent) {
+        console.log(chalk.yellow('  No doorman backup found in git stash.'));
+      }
+      return false;
+    }
+    execSync(`git stash pop stash@{${match[1]}}`, {
+      cwd: targetPath,
+      stdio: 'pipe',
+    });
+    if (!silent) {
+      console.log(chalk.green('  Rolled back to doorman backup.'));
+    }
+    return true;
+  } catch (e) {
+    if (!silent) {
+      console.log(chalk.red(`  Rollback failed: ${e.message}`));
+    }
+    return false;
+  }
+}
+
+/**
+ * Apply a single fix to file content. Returns updated content or null on failure.
+ */
+function applyFix(content, fix) {
+  if (fix.type === 'replace' && fix.old && fix.new) {
+    if (content.includes(fix.old)) {
+      return content.replace(fix.old, fix.new);
+    }
+    return null;
+  }
+  if (fix.type === 'insert' && fix.content && fix.position !== undefined) {
+    const lines = content.split('\n');
+    lines.splice(fix.position, 0, fix.content);
+    return lines.join('\n');
+  }
+  return null;
+}
+
+/**
+ * Tiered auto-fix system for Doorman.
+ *
+ * Tiers:
+ *   1 (safe)   — Config changes, headers, .gitignore, security files. Auto-applied.
+ *   2 (review) — Code changes (parameterized queries, bcrypt). Shows diff, requires confirm.
+ *   3 (manual) — Architecture changes. Shows instructions only.
+ *
+ * Usage:
+ *   doorman fix              — dry-run (default), shows what would change
+ *   doorman fix --apply      — actually apply fixes
+ *   doorman fix --undo       — rollback the last backup
+ *
+ * @param {string} targetPath - Root path of the project to fix.
+ * @param {object} options
+ * @param {boolean} options.dryRun  - Explicit dry-run flag (default behavior).
+ * @param {boolean} options.apply   - Actually apply fixes.
+ * @param {boolean} options.undo    - Rollback the last doorman stash backup.
+ * @param {boolean} options.silent  - Suppress output.
+ */
+export async function fix(targetPath, options = {}) {
+  const silent = options.silent || false;
+  const shouldApply = options.apply === true;
+  const isDryRun = !shouldApply;
+
+  if (!silent) {
+    console.log('');
+    console.log(chalk.bold.cyan('  Doorman — Tiered Auto-Fix'));
+    console.log('');
+  }
+
+  // Handle rollback
+  if (options.undo) {
+    if (!silent) console.log(chalk.gray('  Rolling back last doorman backup...'));
+    const ok = rollback(targetPath, silent);
+    if (!silent) console.log('');
+    return { rolledBack: ok };
+  }
+
+  // Load cached scan results if available (instant), otherwise scan
+  if (!silent) console.log(chalk.gray('  Loading scan results...'));
+  let result;
+  try {
+    const { loadScanCache } = await import('./scan-cache.js');
+    const cache = loadScanCache(targetPath);
+    if (cache && cache.findings && cache.findings.length > 0) {
+      result = { findings: cache.findings, score: cache.score, stack: cache.stack };
+      if (!silent) console.log(chalk.gray(`  Using cached scan (${cache.findings.length} findings from ${cache.timestamp.split('T')[0]})`));
+    }
+  } catch { /* ignore cache errors */ }
+
+  if (!result) {
+    if (!silent) console.log(chalk.gray('  No cached scan found. Running scan...'));
+    result = await check(targetPath, { ...options, silent: true });
+  }
+
+  const fixable = result.findings.filter(f => f.fix);
+
+  // Load rules for verification (re-check findings after fix)
+  let allRules = [];
+  try {
+    const { loadRules } = await import('./rules/index.js');
+    allRules = loadRules({ category: 'security,bugs' });
+  } catch { /* rules not available — skip verification */ }
+
+  if (fixable.length === 0) {
+    if (!silent) {
+      console.log(chalk.green.bold('  No auto-fixable issues found.'));
+      console.log('');
+    }
+    return { fixed: 0, failed: 0, skipped: 0, findings: [] };
+  }
+
+  // Classify by tier
+  let tier1 = fixable.filter(f => getTier(f) === 1);
+  let tier2 = fixable.filter(f => getTier(f) === 2);
+  const tier3 = fixable.filter(f => getTier(f) === 3);
+
+  if (!silent) {
+    console.log(chalk.bold(`  Found ${fixable.length} fixable issue${fixable.length === 1 ? '' : 's'}`));
+    if (tier3.length) console.log(chalk.gray(`    + ${tier3.length} need manual changes`));
+    console.log('');
+  }
+
+  // Dry-run mode (default): show what would change
+  if (isDryRun) {
+    if (!silent) {
+      console.log(chalk.gray('  Dry-run mode (default). Use --apply to apply fixes.'));
+      console.log('');
+
+      for (const finding of tier1) {
+        console.log(chalk.green(`    [safe]   Would auto-fix: ${finding.title}`));
+        if (finding.file) console.log(chalk.gray(`             in ${finding.file}`));
+      }
+      for (const finding of tier2) {
+        console.log(chalk.yellow(`    [review] Would fix (with confirmation): ${finding.title}`));
+        if (finding.file) console.log(chalk.gray(`             in ${finding.file}`));
+        if (finding.fix) console.log(formatDiff(finding.fix, finding.file || finding.fix.filePath || ''));
+      }
+      for (const finding of tier3) {
+        console.log(chalk.red(`    [manual] Requires manual change: ${finding.title}`));
+        if (finding.fix?.instructions) {
+          console.log(chalk.gray(`             ${finding.fix.instructions}`));
+        }
+      }
+
+      console.log('');
+    }
+    return { dryRun: true, fixable: fixable.length, tier1: tier1.length, tier2: tier2.length, tier3: tier3.length };
+  }
+
+  // --- Apply mode ---
+
+  // Collect unique files to be modified
+  const filesToModify = new Set();
+  for (const f of [...tier1, ...tier2]) {
+    if (f.file) filesToModify.add(f.file);
+  }
+
+  // Safety: max file count
+  if (filesToModify.size > MAX_FILES_PER_RUN) {
+    if (!silent) {
+      console.log(chalk.red(`  Aborted: would modify ${filesToModify.size} files (limit is ${MAX_FILES_PER_RUN}).`));
+      console.log('');
+    }
+    return { fixed: 0, failed: 0, aborted: true, reason: 'too many files' };
+  }
+
+  // Safety: check file sizes
+  for (const file of filesToModify) {
+    const fullPath = join(targetPath, file);
+    const check = isSafeToModify(fullPath);
+    if (!check.safe) {
+      if (!silent) {
+        console.log(chalk.red(`  Skipping ${file}: ${check.reason}`));
+      }
+    }
+  }
+
+  // Create git stash backup
+  const backedUp = createBackup(targetPath);
+  if (!silent) {
+    if (backedUp) {
+      console.log(chalk.green('  ✓ Backup created. Run `npx getdoorman fix --undo` if anything breaks.'));
+    }
+    console.log('');
+  }
+
+  let fixedCount = 0;
+  let failedCount = 0;
+  let skippedCount = 0;
+  let verifiedCount = 0;
+  const appliedFixes = [];
+  const allFindings = [...tier1, ...tier2];
+  const total = allFindings.length;
+  let current = 0;
+  const maxFixes = options.maxFixes || Infinity;
+  let creditLimitHit = false;
+
+  // --- Apply registry-based fixes per file ---
+  // Group all fixable findings by file
+  const findingsByFile = {};
+  const findingsNoFile = [];
+  for (const finding of allFindings) {
+    if (finding.file) {
+      if (!findingsByFile[finding.file]) findingsByFile[finding.file] = [];
+      findingsByFile[finding.file].push(finding);
+    } else {
+      findingsNoFile.push(finding);
+    }
+  }
+
+  if (!silent && allFindings.length > 0) {
+    console.log(chalk.green.bold('  Applying fixes:'));
+  }
+
+  for (const [file, findings] of Object.entries(findingsByFile)) {
+    const fullPath = join(targetPath, file);
+    const sizeCheck = isSafeToModify(fullPath);
+    if (!sizeCheck.safe) {
+      skippedCount += findings.length;
+      current += findings.length;
+      continue;
+    }
+
+    try {
+      let content = readFileSync(fullPath, 'utf-8');
+      const original = content;
+
+      // For each finding, try to fix it and verify the fix works
+      for (const finding of findings) {
+        current++;
+        if (fixedCount >= maxFixes) { creditLimitHit = true; skippedCount++; continue; }
+
+        const beforeFix = content;
+
+        // Try 1: finding-level fix (type: replace with old/new)
+        let attempted = false;
+        if (finding.fix && typeof finding.fix === 'object' && finding.fix.type === 'replace') {
+          const updated = applyFix(content, finding.fix);
+          if (updated !== null) { content = updated; attempted = true; }
+        }
+
+        // Try 2: registry pattern fix (run all, take the diff)
+        if (!attempted) {
+          const { content: regFixed, applied } = applyAllRegistryFixes(content, file, registryEntries);
+          if (applied.length > 0) { content = regFixed; attempted = true; }
+        }
+
+        // Try 3: inline pattern fix
+        if (!attempted) {
+          const fixId = finding.fix && typeof finding.fix === 'string' ? finding.fix : null;
+          const pfn = fixId ? patternFixes[fixId] : null;
+          if (pfn) {
+            const updated = pfn.fn(content);
+            if (updated !== null) { content = updated; attempted = true; }
+          }
+        }
+
+        // Verify: did the fix actually resolve the finding?
+        if (attempted && content !== beforeFix) {
+          // Re-run the specific rule on the new content to verify
+          let stillDetected = false;
+          if (finding.ruleId) {
+            try {
+              const tempFiles = new Map([[file, content]]);
+              const rule = allRules.find(r => r.id === finding.ruleId);
+              if (rule) {
+                const recheck = rule.check({ files: tempFiles, stack: result.stack || {}, silent: true });
+                const recheckArr = Array.isArray(recheck) ? recheck : [];
+                // Check if same finding still exists on same line
+                stillDetected = recheckArr.some(f =>
+                  f.file === file && (!finding.line || f.line === finding.line)
+                );
+              }
+            } catch { /* rule threw — assume fixed */ }
+          }
+
+          if (!stillDetected) {
+            fixedCount++;
+            if (!silent) {
+              console.log(chalk.green(`    ✓ ${finding.title}`));
+              console.log(chalk.gray(`      in ${file}`));
+            }
+          } else {
+            // Fix changed the file but didn't resolve the finding — rollback
+            content = beforeFix;
+          }
+        } else if (attempted) {
+          content = beforeFix;
+        }
+      }
+
+      // Write if content changed — with syntax verification
+      if (content !== original) {
+        // Verify the fixed code still parses before writing
+        if (isSyntaxValid(fullPath, content)) {
+          writeFileSync(fullPath, content, 'utf-8');
+        } else {
+          // Syntax broken — rollback this file, don't count as fixed
+          if (!silent) {
+            console.log(chalk.red(`    ✗ Fix broke syntax in ${file} — rolled back`));
+          }
+          fixedCount -= findings.filter(f => f._fixed).length;
+          content = original; // don't write
+        }
+      }
+
+      // Verify fixes
+      for (const finding of findings) {
+        if (finding.fix && typeof finding.fix === 'object') {
+          if (verifyFix(fullPath, finding.fix)) verifiedCount++;
+        }
+      }
+    } catch (e) {
+      failedCount += findings.length;
+      current += findings.length;
+      if (!silent) console.log(chalk.red(`    ✗ Failed to apply fixes for ${relativePath}: ${e.message}`));
+    }
+  }
+
+  // File-creation fixes (no source file)
+  for (const finding of findingsNoFile) {
+    current++;
+    if (finding.fix?.type === 'create' && finding.fix.filePath && finding.fix.content) {
+      try {
+        const createPath = join(targetPath, finding.fix.filePath);
+        writeFileSync(createPath, finding.fix.content, 'utf-8');
+        appliedFixes.push(finding.fix);
+        fixedCount++;
+        if (!silent) console.log(chalk.green(`    ${progress(current, total, '')} ✓ ${finding.title} (created ${finding.fix.filePath})`));
+        verifiedCount++;
+      } catch {
+        failedCount++;
+        if (!silent) console.log(chalk.red(`    ${progress(current, total, '')} ✗ ${finding.title} (create failed)`));
+      }
+    }
+  }
+
+  // --- AI Fix: try AI for findings regex couldn't fix ---
+  const hasApiKey = process.env.ANTHROPIC_API_KEY || process.env.OPENAI_API_KEY;
+  if (hasApiKey && shouldApply && failedCount > 0 && fixedCount < maxFixes) {
+    try {
+      const { aiFixAll } = await import('./ai-fixer.js');
+      const { resolve: resolvePath } = await import('path');
+      const resolvedPath = resolvePath(targetPath);
+
+      // Collect unfixed findings that have files
+      const unfixed = allFindings.filter(f => f.file && !f._regexFixed).slice(0, Math.min(10, maxFixes - fixedCount));
+
+      if (unfixed.length > 0) {
+        if (!silent) {
+          console.log('');
+          console.log(chalk.cyan('  Trying AI fixes for remaining issues...'));
+        }
+
+        // Build file content map
+        const fileContentMap = {};
+        for (const f of unfixed) {
+          if (f.file && !fileContentMap[f.file]) {
+            try { fileContentMap[f.file] = readFileSync(join(targetPath, f.file), 'utf-8'); } catch {}
+          }
+        }
+
+        const aiResults = await aiFixAll(unfixed, fileContentMap, { cwd: resolvedPath });
+
+        for (const { finding, fix: aiFix } of aiResults) {
+          if (fixedCount >= maxFixes) break;
+          if (!aiFix || !aiFix.old || !aiFix.new || !finding.file) continue;
+
+          const fullPath = join(targetPath, finding.file);
+          try {
+            let content = readFileSync(fullPath, 'utf-8');
+            if (content.includes(aiFix.old)) {
+              const newContent = content.replace(aiFix.old, aiFix.new);
+              if (isSyntaxValid(fullPath, newContent)) {
+                writeFileSync(fullPath, newContent, 'utf-8');
+                fixedCount++;
+                if (!silent) {
+                  console.log(chalk.green(`    ✓ ${finding.title}`));
+                  console.log(chalk.gray(`      in ${finding.file} (AI fix)`));
+                }
+              }
+            }
+          } catch {}
+        }
+      }
+    } catch {
+      // AI fixer not available or failed — continue silently
+    }
+  }
+
+  // --- Tier 3: manual instructions only ---
+  if (tier3.length > 0 && !silent) {
+    console.log('');
+    console.log(chalk.red.bold('  Tier 3 — Manual changes required:'));
+    for (const finding of tier3) {
+      console.log('');
+      console.log(chalk.red(`    ⚠ ${finding.title}`));
+      if (finding.file) console.log(chalk.gray(`      File: ${finding.file}`));
+      if (finding.fix?.instructions) {
+        console.log(chalk.white(`      Instructions: ${finding.fix.instructions}`));
+      }
+    }
+    skippedCount += tier3.length;
+  }
+
+  // --- Summary ---
+  const { added, removed } = countLinesChanged(appliedFixes);
+
+  // Estimate new score from cached findings minus what we fixed
+  let postScore = null;
+  let remainingFixable = 0;
+  if (fixedCount > 0 && shouldApply) {
+    try {
+      // Load the cached scan and remove findings we fixed
+      const { loadScanCache, saveScanCache } = await import('./scan-cache.js');
+      const cache = loadScanCache(targetPath);
+      if (cache && cache.findings) {
+        // Remove fixed findings (match by ruleId + file)
+        const fixedKeys = new Set();
+        for (const [file, findings] of Object.entries(findingsByFile)) {
+          for (const f of findings) {
+            fixedKeys.add(`${f.ruleId}:${f.file}:${f.line}`);
+          }
+        }
+        const remaining = cache.findings.filter(f => {
+          const key = `${f.ruleId}:${f.file}:${f.line}`;
+          return !fixedKeys.has(key);
+        });
+
+        postScore = (await import('./reporter.js')).calculateScore(remaining);
+        remainingFixable = remaining.filter(f => f.fix).length;
+
+        // Update cache with remaining findings
+        saveScanCache(targetPath, remaining, cache.stack, postScore);
+      }
+    } catch {
+      // Non-critical
+    }
+  }
+
+  if (!silent) {
+    console.log('');
+    console.log(chalk.bold('  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━'));
+    console.log('');
+
+    if (fixedCount > 0) {
+      console.log(chalk.green.bold(`  ✓ ${fixedCount} issue${fixedCount === 1 ? '' : 's'} fixed`));
+      if (postScore !== null) {
+        const scoreColor = postScore >= 70 ? chalk.green.bold : postScore >= 40 ? chalk.yellow.bold : chalk.red.bold;
+        console.log(`    Score: ${scoreColor(`${postScore}/100`)}`);
+      }
+    } else {
+      console.log(chalk.dim('  No fixes applied this run.'));
+    }
+
+    if (remainingFixable > 0) {
+      console.log('');
+      console.log(chalk.cyan(`  ${remainingFixable} more issue${remainingFixable === 1 ? '' : 's'} can be fixed with AI Fix (Pro plan).`));
+      console.log(chalk.gray('  Upgrade at https://doorman.sh/pro'));
+    }
+
+    if (tier3.length > 0) {
+      console.log('');
+      console.log(chalk.dim(`  ${tier3.length} issue${tier3.length === 1 ? '' : 's'} need manual review (run --detail to see).`));
+    }
+
+    if (backedUp) {
+      console.log('');
+      console.log(chalk.gray('  Backup saved. Run `npx getdoorman fix --undo` to rollback.'));
+    }
+
+    console.log('');
+    console.log(chalk.bold('  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━'));
+    console.log('');
+  }
+
+  recordFix(targetPath, { applied: fixedCount, offered: fixable.length, accepted: fixedCount });
+
+  // Generate unified diff output for piping to git apply
+  if (isDryRun && options.diff && appliedFixes.length > 0) {
+    console.log('');
+    console.log(chalk.bold('  Unified diff (pipe to `git apply`):'));
+    console.log('');
+    for (const fix of appliedFixes) {
+      if (fix.original && fix.modified && fix.filePath) {
+        const orig = fix.original.split('\n');
+        const mod = fix.modified.split('\n');
+        console.log(`--- a/${fix.filePath}`);
+        console.log(`+++ b/${fix.filePath}`);
+        // Simple line-by-line diff
+        const maxLen = Math.max(orig.length, mod.length);
+        let hunkStart = -1;
+        for (let i = 0; i < maxLen; i++) {
+          if (orig[i] !== mod[i]) {
+            if (hunkStart < 0) {
+              hunkStart = Math.max(0, i - 2);
+              console.log(`@@ -${hunkStart + 1},${orig.length} +${hunkStart + 1},${mod.length} @@`);
+            }
+            if (i < orig.length && orig[i] !== undefined) console.log(`-${orig[i]}`);
+            if (i < mod.length && mod[i] !== undefined) console.log(`+${mod[i]}`);
+          }
+        }
+      }
+    }
+  }
+
+  return { fixed: fixedCount, failed: failedCount, skipped: skippedCount, verified: verifiedCount, linesAdded: added, linesRemoved: removed };
+}