i18ntk 2.4.0 → 2.5.1

package/CODE_OF_CONDUCT.md

@@ -0,0 +1,133 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+We as members, contributors, and leaders pledge to make participation in our
+community a harassment-free experience for everyone, regardless of age, body
+size, visible or invisible disability, ethnicity, sex characteristics, gender
+identity and expression, level of experience, education, socio-economic status,
+nationality, personal appearance, race, caste, color, religion, or sexual identity
+and orientation.
+
+We pledge to act and interact in ways that contribute to an open, welcoming,
+diverse, inclusive, and healthy community.
+
+## Our Standards
+
+Examples of behavior that contributes to a positive environment for our
+community include:
+
+* Demonstrating empathy and kindness toward other people
+* Being respectful of differing opinions, viewpoints, and experiences
+* Giving and gracefully accepting constructive feedback
+* Accepting responsibility and apologizing to those affected by our mistakes,
+  and learning from the experience
+* Focusing on what is best not just for us as individuals, but for the overall
+  community
+
+Examples of unacceptable behavior include:
+
+* The use of sexualized language or imagery, and sexual attention or advances
+of any kind
+* Trolling, insulting or derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or email address,
+  without their explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Enforcement Responsibilities
+
+Community leaders are responsible for clarifying and enforcing our standards of
+acceptable behavior and will take appropriate and fair corrective action in
+response to any behavior that they deem inappropriate, threatening, offensive,
+or harmful.
+
+Community leaders have the right and responsibility to remove, edit, or reject
+comments, commits, code, wiki edits, issues, and other contributions that are
+not aligned to this Code of Conduct, and will communicate reasons for moderation
+decisions when appropriate.
+
+## Scope
+
+This Code of Conduct applies within all community spaces, and also applies when
+an individual is officially representing the community in public spaces.
+Examples of representing our community include using an official e-mail address,
+posting via an official social media account, or acting as an appointed
+representative at an online or offline event.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported to the community leaders responsible for enforcement at
+GitHub Security Advisories for sensitive reports, or GitHub issues for non-sensitive community concerns.
+All complaints will be reviewed and investigated promptly and fairly.
+
+All community leaders are obligated to respect the privacy and security of the
+reporter of any incident.
+
+## Enforcement Guidelines
+
+Community leaders will follow these Community Impact Guidelines in determining
+the consequences for any action they deem in violation of this Code of Conduct:
+
+### 1. Correction
+
+**Community Impact**: Use of inappropriate language or other behavior deemed
+unprofessional or unwelcome in the community.
+
+**Consequence**: A private, written warning from community leaders, providing
+clarity around the nature of the violation and an explanation of why the
+behavior was inappropriate. A public apology may be requested.
+
+### 2. Warning
+
+**Community Impact**: A violation through a single incident or series of
+actions.
+
+**Consequence**: A warning with consequences for continued behavior. No
+interaction with the people involved, including unsolicited interaction with
+those enforcing the Code of Conduct, for a specified period of time. This
+includes avoiding interactions in community spaces as well as external channels
+like social media. Violating these terms may lead to a temporary or permanent
+ban.
+
+### 3. Temporary Ban
+
+**Community Impact**: A serious violation of community standards, including
+sustained inappropriate behavior.
+
+**Consequence**: A temporary ban from any sort of interaction or public
+communication with the community for a specified period of time. No public or
+private interaction with the people involved, including unsolicited interaction
+with those enforcing the Code of Conduct, is allowed during this period.
+Violating these terms may lead to a permanent ban.
+
+### 4. Permanent Ban
+
+**Community Impact**: Demonstrating a pattern of violation of community
+standards, including sustained inappropriate behavior, harassment of an
+individual, or aggression toward or disparagement of classes of individuals.
+
+**Consequence**: A permanent ban from any sort of public interaction within the
+community.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage],
+version 2.1, available at
+[https://www.contributor-covenant.org/version/2/1/code_of_conduct.html][v2.1].
+
+Community Impact Guidelines were inspired by [Mozilla's code of conduct
+enforcement ladder][Mozilla CoC].
+
+[homepage]: https://www.contributor-covenant.org
+[v2.1]: https://www.contributor-covenant.org/version/2/1/code_of_conduct.html
+[Mozilla CoC]: https://github.com/mozilla/diversity
+
+For answers to common questions about this code of conduct, see the FAQ at
+[https://www.contributor-covenant.org/faq][FAQ]. Translations are available at
+[https://www.contributor-covenant.org/translations][translations].
+
+[FAQ]: https://www.contributor-covenant.org/faq
+[translations]: https://www.contributor-covenant.org/translations

package/CONTRIBUTING.md

@@ -0,0 +1,41 @@
+# Contributing to i18ntk
+
+Thanks for helping improve i18ntk.
+
+## Project Priorities
+
+- Keep the npm package zero-dependency.
+- Keep the published package minimal and free of tests, local setup state, reports, backups, logs, credentials, and generated artifacts.
+- Preserve backward compatibility unless a breaking change is intentional and documented.
+- Prefer small, well-tested fixes over broad refactors.
+
+## Development Setup
+
+Clone the repository, install with npm, and run the project validation checks before opening a pull request.
+
+## Release Validation
+
+Maintainer release commands are documented in the repository development guide. The package published to npm uses a stripped public manifest.
+
+## Security
+
+Follow the security guidance in `SECURITY.md` and `docs/development/AGENTS.md`.
+
+Report vulnerabilities through GitHub Security Advisories. Do not open public issues for sensitive security reports.
+
+## Translations
+
+When editing `ui-locales/`, preserve JSON structure, placeholders, command names, file paths, and config keys.
+
+Run:
+
+Run the locale lint check before submitting translation changes.
+
+## Pull Requests
+
+Include:
+
+- the problem being fixed
+- the user-visible behavior change
+- validation commands that were run
+- any remaining risk or unverified behavior

package/FUNDING.md

@@ -0,0 +1,5 @@
+# Funding
+
+i18ntk does not request project donations.
+
+If you wanted to give something, please give it to a charity or community cause you trust.

package/README.md

@@ -1,20 +1,60 @@
-# i18ntk v2.4.0
+# i18ntk v2.5.1
 
 Zero-dependency internationalization toolkit for setup, scanning, analysis, validation, usage tracking, and translation completion.
 
-![i18ntk Logo](docs/screenshots/i18ntk-logo-public.PNG)
+![i18ntk Logo](https://raw.githubusercontent.com/vladnoskv/i18ntk/main/docs/screenshots/i18ntk-logo-public.PNG)
 
 [![npm version](https://img.shields.io/npm/v/i18ntk.svg?color=brightgreen)](https://www.npmjs.com/package/i18ntk)
 [![npm downloads](https://img.shields.io/npm/dt/i18ntk.svg)](https://www.npmjs.com/package/i18ntk)
 [![node](https://img.shields.io/badge/node-%3E%3D16-339933)](https://nodejs.org)
 [![dependencies](https://img.shields.io/badge/dependencies-0-success)](https://www.npmjs.com/package/i18ntk)
 [![license](https://img.shields.io/badge/license-MIT-yellow.svg)](LICENSE)
-[![socket](https://socket.dev/api/badge/npm/package/i18ntk/2.4.0)](https://socket.dev/npm/package/i18ntk/overview/2.4.0)
+[![socket](https://socket.dev/api/badge/npm/package/i18ntk/2.5.1)](https://socket.dev/npm/package/i18ntk/overview/2.5.1)
 
 ## Upgrade Notice
 
-Versions earlier than `2.4.0` may contain known stability and security issues.
-They are considered unsupported for production use. Upgrade to `2.4.0` or newer.
+Versions earlier than `2.5.1` may contain known stability and security issues.
+They are considered unsupported for production use. Upgrade to `2.5.1` or newer.
+
+## v2.5.1 Security Update
+
+`v2.5.1` is a security and packaging-process update for the `2.5.x` release line.
+
+### Change Summary
+
+- Hardened `utils/admin-auth.js` so `verifyPin()` fails closed when admin config is missing, disabled, or malformed.
+- Hardened auth-required checks so enabled PIN protection does not silently bypass authentication when admin config is unusable.
+- Normalized admin session expiry handling by storing both `expires` and `expiresAt` and cleaning up either format consistently.
+- Marked the root `package.json` as development-only and added a separate public manifest flow.
+- Added package scripts to stage, pack, and publish the public npm package from `package.public.json`.
+- Added a root publish guard via `prepack` and `prepublishOnly` to block accidental publishing of the development manifest.
+- Updated ignore rules to exclude release staging artifacts and public package metadata from the repo/package payload.
+- Replaced the expanded `SECURITY.md` policy with a shorter reporting-oriented policy and added community docs links.
+- Updated docs and release reset automation to use `npm run package:public` instead of `npm pack --dry-run`.
+
+### Files Changed
+
+- `utils/admin-auth.js`: fixed fail-open PIN verification and session expiry consistency.
+- `tests/security.test.js`: added admin-auth fail-closed and session cleanup coverage.
+- `package.json`: set development-only metadata, adjusted included files, and added public packaging/publish scripts.
+- `package.public.json`: introduced the stripped public npm manifest.
+- `scripts/build-public-package.js`: added the public package staging, pack, and publish workflow.
+- `scripts/prevent-root-publish.js`: added a guard against publishing the root development manifest.
+- `scripts/reset-release-state.js`: switched release validation to the public package build flow.
+- `README.md`, `docs/README.md`, `docs/development/AGENTS.md`, `docs/migration-guide-v2.5.1.md`, `docs/migration-guide-v2.5.0.md`: documented the security fix, packaging, and community file layout.
+- `SECURITY.md`, `CODE_OF_CONDUCT.md`, `CONTRIBUTING.md`, `FUNDING.md`: updated or added community and security-facing docs.
+- `.gitignore`, `.npmignore`: excluded release staging output and public-package metadata.
+
+### Audit Trail
+
+- Risk addressed: AI-based analysis flagged `verifyPin()` as fail-open when admin config was missing or disabled.
+- Behavior change: direct `verifyPin()` calls now return `false` unless a usable enabled PIN config exists.
+- Behavior change: when settings require PIN auth but admin config is broken, protected auth checks now require authentication and verification fails closed.
+- Risk: the root manifest is intentionally non-publishable, so publishing flows must use the public-package scripts.
+- Behavior change: `npm pack` and `npm publish` at the repo root are blocked by guard scripts.
+- Behavior change: the public npm payload is staged from `package.public.json` rather than the development manifest.
+- Validation note: release-state reset now exercises `npm run package:public` as part of its checks.
+- Validation note: this documentation update describes the working tree changes used for the packaging split.
 
 ## What i18ntk Does
 
@@ -154,7 +194,7 @@ Example `.i18ntk-config`:
 
 ```json
 {
-  "version": "2.4.0",
+  "version": "2.5.1",
   "sourceDir": "./locales",
   "i18nDir": "./locales",
   "outputDir": "./i18ntk-reports",
@@ -170,15 +210,22 @@ See [docs/api/CONFIGURATION.md](docs/api/CONFIGURATION.md) for the full configur
 
 ## Docs
 
-- [Documentation Index](docs/README.md)
-- [Getting Started](docs/getting-started.md)
-- [API Reference](docs/api/API_REFERENCE.md)
-- [Configuration Guide](docs/api/CONFIGURATION.md)
-- [Runtime API Guide](docs/runtime.md)
-- [Scanner Guide](docs/scanner-guide.md)
-- [Environment Variables](docs/environment-variables.md)
-- [Migration Guide v2.4.0](docs/migration-guide-v2.4.0.md)
-- [Optimization Prompt](docs/development/package-optimization-prompt.md)
+- [Documentation Index](https://github.com/vladnoskv/i18ntk/blob/main/docs/README.md)
+- [Getting Started](https://github.com/vladnoskv/i18ntk/blob/main/docs/getting-started.md)
+- [API Reference](https://github.com/vladnoskv/i18ntk/blob/main/docs/api/API_REFERENCE.md)
+- [Configuration Guide](https://github.com/vladnoskv/i18ntk/blob/main/docs/api/CONFIGURATION.md)
+- [Runtime API Guide](https://github.com/vladnoskv/i18ntk/blob/main/docs/runtime.md)
+- [Scanner Guide](https://github.com/vladnoskv/i18ntk/blob/main/docs/scanner-guide.md)
+- [Environment Variables](https://github.com/vladnoskv/i18ntk/blob/main/docs/environment-variables.md)
+- [Migration Guide v2.5.1](https://github.com/vladnoskv/i18ntk/blob/main/docs/migration-guide-v2.5.1.md)
+- [Migration Guide v2.5.0](https://github.com/vladnoskv/i18ntk/blob/main/docs/migration-guide-v2.5.0.md)
+
+## Community
+
+- [Contributing](CONTRIBUTING.md)
+- [Code of Conduct](CODE_OF_CONDUCT.md)
+- [Security Policy](SECURITY.md)
+- [Funding](FUNDING.md)
 
 ## Code of Conduct
 

package/SECURITY.md

@@ -0,0 +1,52 @@
+# Security Policy
+
+## Supported Versions
+
+The supported production line is `2.5.x`.
+
+Versions earlier than `2.5.0` are not recommended for production use because later releases include package, filesystem, environment, and admin-auth hardening.
+
+## Security Model
+
+i18ntk is a local developer CLI and runtime helper. It is expected to read and write project files, but it must do so with conservative path validation and without external runtime dependencies.
+
+Security priorities:
+
+- zero runtime dependencies
+- no install-time lifecycle commands in the public package manifest
+- no shipped local setup state, admin PINs, backups, reports, logs, credentials, or generated artifacts
+- centralized environment-variable access through `utils/env-manager.js`
+- path containment checks based on resolved paths and `path.relative()`
+- timing-safe comparison for authentication hashes or tokens
+- silent-by-default logging for production-like contexts
+
+## Published Package Controls
+
+The npm package uses a stripped public manifest. It must not contain install-time lifecycle commands, dependency fields, local setup state, or development tooling.
+
+## Reporting Vulnerabilities
+
+Do not report security vulnerabilities in public GitHub issues.
+
+Use GitHub Security Advisories for private vulnerability reports. Include:
+
+- affected version
+- clear reproduction steps
+- expected and actual behavior
+- impact assessment
+- proof of concept, if safe to share privately
+
+## Disclosure Process
+
+Security reports are reviewed privately first. Confirmed issues should receive:
+
+- a fix or mitigation
+- a release note or migration note when user action is required
+- an npm release when the fix affects published users
+
+## User Guidance
+
+- Keep i18ntk updated to `2.5.0` or newer.
+- Do not commit `.i18ntk-config`, admin PIN files, backup directories, generated reports, logs, npm credentials, or secret material.
+- Run i18ntk only in project directories you trust.
+- Review generated translation changes before committing them.

package/main/manage/commands/FixerCommand.js

@@ -27,21 +27,21 @@ class FixerCommand {
         // Initialize fixer properties
         this.sourceDir = null;
         this.outputDir = null;
-        this.backupDir = null;
-        this.dryRun = false;
-        this.force = false;
-    }
-
-    isExcludedLanguageDirectory(name) {
-        if (!name || typeof name !== 'string') return true;
-        const lowered = name.toLowerCase();
-        return lowered.startsWith('backup-') ||
-               lowered === 'backup' ||
-               lowered === 'backups' ||
-               lowered === 'i18ntk-backups' ||
-               lowered === 'reports' ||
-               lowered === 'i18ntk-reports';
-    }
+        this.backupDir = null;
+        this.dryRun = false;
+        this.force = false;
+    }
+
+    isExcludedLanguageDirectory(name) {
+        if (!name || typeof name !== 'string') return true;
+        const lowered = name.toLowerCase();
+        return lowered.startsWith('backup-') ||
+               lowered === 'backup' ||
+               lowered === 'backups' ||
+               lowered === 'i18ntk-backups' ||
+               lowered === 'reports' ||
+               lowered === 'i18ntk-reports';
+    }
 
     /**
      * Set runtime dependencies for interactive operations
@@ -79,7 +79,7 @@ class FixerCommand {
 
             this.sourceDir = this.config.sourceDir;
             this.outputDir = this.config.outputDir;
-            this.backupDir = path.resolve(this.config.backup?.location || './i18ntk-backups', 'fixer');
+            this.backupDir = path.resolve(this.config.backup?.location || './i18ntk-backups', 'fixer');
 
             // Validate source directory exists
             const { validateSourceDir } = require('../../../utils/config-helper');
@@ -138,15 +138,15 @@ class FixerCommand {
             const languages = [];
 
             // Check for directory-based structure
-            const directories = items
-                .filter(item => item.isDirectory())
-                .map(item => item.name)
-                .filter(name =>
-                    name !== 'node_modules' &&
-                    !name.startsWith('.') &&
-                    name !== this.config.sourceLanguage &&
-                    !this.isExcludedLanguageDirectory(name)
-                );
+            const directories = items
+                .filter(item => item.isDirectory())
+                .map(item => item.name)
+                .filter(name =>
+                    name !== 'node_modules' &&
+                    !name.startsWith('.') &&
+                    name !== this.config.sourceLanguage &&
+                    !this.isExcludedLanguageDirectory(name)
+                );
 
             // Check for monolith files (language.json files)
             const files = items
@@ -158,13 +158,13 @@ class FixerCommand {
 
             // Add monolith files as languages (without .json extension)
             const monolithLanguages = files
-                .map(file => file.replace('.json', ''))
-                .filter(lang =>
-                    !languages.includes(lang) &&
-                    lang !== this.config.sourceLanguage &&
-                    !this.isExcludedLanguageDirectory(lang)
-                );
-            languages.push(...monolithLanguages);
+                .map(file => file.replace('.json', ''))
+                .filter(lang =>
+                    !languages.includes(lang) &&
+                    lang !== this.config.sourceLanguage &&
+                    !this.isExcludedLanguageDirectory(lang)
+                );
+            languages.push(...monolithLanguages);
 
             return [...new Set(languages)].sort();
         } catch (error) {
@@ -299,21 +299,21 @@ class FixerCommand {
     }
 
     // Create backup of translation files
-    async createBackup() {
-        if (this.dryRun) return;
-
-        try {
-            const backupEnabled = this.config?.backup?.enabled === true;
-            if (!backupEnabled) {
-                this.backupDir = null;
-                return;
-            }
-
-            const timestamp = new Date().toISOString().replace(/[:.]/g, '-');
-            const backupRoot = path.resolve(this.config?.backup?.location || './i18ntk-backups');
-            this.backupDir = path.join(backupRoot, 'fixer', `backup-${timestamp}`);
-
-            console.log(t('fixer.creatingBackup', { dir: this.backupDir }));
+    async createBackup() {
+        if (this.dryRun) return;
+
+        try {
+            const backupEnabled = this.config?.backup?.enabled === true;
+            if (!backupEnabled) {
+                this.backupDir = null;
+                return;
+            }
+
+            const timestamp = new Date().toISOString().replace(/[:.]/g, '-');
+            const backupRoot = path.resolve(this.config?.backup?.location || './i18ntk-backups');
+            this.backupDir = path.join(backupRoot, 'fixer', `backup-${timestamp}`);
+
+            console.log(t('fixer.creatingBackup', { dir: this.backupDir }));
 
             // Ensure backup directory exists
             const dirCreated = SecurityUtils.safeMkdirSync(this.backupDir, process.cwd(), { recursive: true });
@@ -326,8 +326,8 @@ class FixerCommand {
             const languages = this.getAvailableLanguages();
             languages.push(this.config.sourceLanguage); // Include source language
 
-            for (const language of languages) {
-                const languageFiles = this.getLanguageFiles(language);
+            for (const language of languages) {
+                const languageFiles = this.getLanguageFiles(language);
 
                 for (const fileName of languageFiles) {
                     const sourcePath = path.join(this.sourceDir, language, fileName);
@@ -343,42 +343,42 @@ class FixerCommand {
                         SecurityUtils.safeWriteFileSync(backupPath, content, process.cwd(), 'utf8');
                     }
                 }
-            }
-
-            this.cleanupOldBackups();
-
-            console.log(t('fixer.backupCreated'));
-        } catch (error) {
-            console.warn(`Failed to create backup: ${error.message}`);
-        }
-    }
-
-    cleanupOldBackups() {
-        try {
-            const fixerBackupRoot = path.resolve(this.config?.backup?.location || './i18ntk-backups', 'fixer');
-            if (!SecurityUtils.safeExistsSync(fixerBackupRoot, process.cwd())) return;
-
-            const configuredKeep = parseInt(this.config?.backup?.maxBackups, 10);
-            const keepCount = Number.isInteger(configuredKeep) ? Math.min(Math.max(configuredKeep, 1), 3) : 1;
-
-            const backupDirs = SecurityUtils.safeReaddirSync(fixerBackupRoot, process.cwd(), { withFileTypes: true })
-                .filter(entry => entry.isDirectory() && entry.name.startsWith('backup-'))
-                .map(entry => {
-                    const dirPath = path.join(fixerBackupRoot, entry.name);
-                    const stat = SecurityUtils.safeStatSync(dirPath, process.cwd());
-                    return { name: entry.name, path: dirPath, mtimeMs: stat ? stat.mtimeMs : 0 };
-                })
-                .sort((a, b) => b.mtimeMs - a.mtimeMs);
-
-            if (backupDirs.length <= keepCount) return;
-
-            for (const staleDir of backupDirs.slice(keepCount)) {
-                fs.rmSync(staleDir.path, { recursive: true, force: true });
-            }
-        } catch (error) {
-            console.warn(`Failed to clean old backups: ${error.message}`);
-        }
-    }
+            }
+
+            this.cleanupOldBackups();
+
+            console.log(t('fixer.backupCreated'));
+        } catch (error) {
+            console.warn(`Failed to create backup: ${error.message}`);
+        }
+    }
+
+    cleanupOldBackups() {
+        try {
+            const fixerBackupRoot = path.resolve(this.config?.backup?.location || './i18ntk-backups', 'fixer');
+            if (!SecurityUtils.safeExistsSync(fixerBackupRoot, process.cwd())) return;
+
+            const configuredKeep = parseInt(this.config?.backup?.maxBackups, 10);
+            const keepCount = Number.isInteger(configuredKeep) ? Math.min(Math.max(configuredKeep, 1), 3) : 1;
+
+            const backupDirs = SecurityUtils.safeReaddirSync(fixerBackupRoot, process.cwd(), { withFileTypes: true })
+                .filter(entry => entry.isDirectory() && entry.name.startsWith('backup-'))
+                .map(entry => {
+                    const dirPath = path.join(fixerBackupRoot, entry.name);
+                    const stat = SecurityUtils.safeStatSync(dirPath, process.cwd());
+                    return { name: entry.name, path: dirPath, mtimeMs: stat ? stat.mtimeMs : 0 };
+                })
+                .sort((a, b) => b.mtimeMs - a.mtimeMs);
+
+            if (backupDirs.length <= keepCount) return;
+
+            for (const staleDir of backupDirs.slice(keepCount)) {
+                fs.rmSync(staleDir.path, { recursive: true, force: true });
+            }
+        } catch (error) {
+            console.warn(`Failed to clean old backups: ${error.message}`);
+        }
+    }
 
     // Analyze translation issues for fixing
     analyzeIssues(language, fileName) {
@@ -420,7 +420,7 @@ class FixerCommand {
                         type: 'missing_key',
                         key,
                         sourceValue,
-                        fix: () => this.setValueByPath(targetObj, key, sourceValue)
+                        fix: (obj) => this.setValueByPath(obj, key, sourceValue)
                     });
                 } else if (targetValue === '') {
                     // Empty value
@@ -428,7 +428,7 @@ class FixerCommand {
                         type: 'empty_value',
                         key,
                         sourceValue,
-                        fix: () => this.setValueByPath(targetObj, key, sourceValue)
+                        fix: (obj) => this.setValueByPath(obj, key, sourceValue)
                     });
                 } else {
                     const markers = this.config.notTranslatedMarkers || [this.config.notTranslatedMarker];
@@ -438,7 +438,7 @@ class FixerCommand {
                             type: 'untranslated_marker',
                             key,
                             sourceValue,
-                            fix: () => this.setValueByPath(targetObj, key, sourceValue)
+                            fix: (obj) => this.setValueByPath(obj, key, sourceValue)
                         });
                     }
                 }
@@ -486,7 +486,7 @@ class FixerCommand {
 
                         for (const issue of issues) {
                             if (typeof issue.fix === 'function') {
-                                issue.fix();
+                                issue.fix(targetObj);
                                 fixes.files[fileName].fixed++;
                                 fixes.fixedIssues++;
                             }
@@ -494,7 +494,7 @@ class FixerCommand {
 
                         // Write back the fixed content
                         const fixedContent = JSON.stringify(targetObj, null, 2);
-                        SecurityUtils.safeWriteFileSync(targetFilePath, fixedContent, process.cwd(), 'utf8');
+                        SecurityUtils.safeWriteFileSync(targetFilePath, fixedContent, this.sourceDir, 'utf8');
 
                     } catch (error) {
                         console.warn(`Error fixing ${language}/${fileName}: ${error.message}`);
@@ -527,9 +527,9 @@ class FixerCommand {
             }
 
             // Create backup unless disabled
-            if (!args.noBackup && !this.dryRun && this.config?.backup?.enabled === true) {
-                await this.createBackup();
-            }
+            if (!args.noBackup && !this.dryRun && this.config?.backup?.enabled === true) {
+                await this.createBackup();
+            }
 
             const languages = this.getAvailableLanguages();
 
@@ -591,9 +591,9 @@ class FixerCommand {
             console.log(t('fixer.totalIssues', { count: totalIssues }));
             console.log(t('fixer.totalFixed', { count: totalFixed }));
 
-            if (this.backupDir && !args.noBackup && this.config?.backup?.enabled === true) {
-                console.log(t('fixer.backupLocation', { dir: this.backupDir }));
-            }
+            if (this.backupDir && !args.noBackup && this.config?.backup?.enabled === true) {
+                console.log(t('fixer.backupLocation', { dir: this.backupDir }));
+            }
 
             console.log(t('fixer.completed'));
 
@@ -677,4 +677,4 @@ class FixerCommand {
     }
 }
 
-module.exports = FixerCommand;
+module.exports = FixerCommand;