fix-cli 0.4.0__py3-none-any.whl

fix_cli-0.4.0.dist-info/METADATA

@@ -0,0 +1,108 @@
+Metadata-Version: 2.4
+Name: fix-cli
+Version: 0.4.0
+Summary: AI-powered command fixer with contract-based dispute resolution
+Author-email: Karan Sharma <karans4@protonmail.com>
+License-Expression: MIT
+Requires-Python: >=3.10
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: httpx>=0.24
+Provides-Extra: server
+Requires-Dist: fastapi>=0.100; extra == "server"
+Requires-Dist: uvicorn>=0.20; extra == "server"
+Requires-Dist: starlette>=0.27; extra == "server"
+Dynamic: license-file
+
+# fix
+
+AI-powered command fixer. A command fails, an LLM diagnoses it, proposes a fix, and a contract system tracks the whole thing. Disputes go to an AI judge.
+
+## Quick start
+
+```sh
+pip install git+https://github.com/karans4/fix.git
+```
+
+### Local mode (you need an API key)
+
+```sh
+export ANTHROPIC_API_KEY=sk-ant-...   # or OPENAI_API_KEY, or run Ollama
+
+fix "gcc foo.c"         # run command, fix if it fails
+fix it                  # fix the last failed command
+fix --explain "make"    # just explain the error
+fix --dry-run "make"    # show fix without running
+fix --local "make"      # force Ollama (free, local)
+```
+
+### Remote mode (free platform agent)
+
+Post a contract to the platform. A free AI agent picks it up and proposes a fix.
+
+```sh
+fix --remote "gcc foo.c"
+```
+
+Platform: `https://fix.notruefireman.org` (free during testing)
+
+Configure in `~/.fix/config.py`:
+```python
+platform_url = "https://fix.notruefireman.org"
+remote = True  # default to remote mode
+```
+
+## Shell integration
+
+For `fix it` / `fix !!` to work, add to your shell config:
+
+```sh
+# bash/zsh
+eval "$(fix shell)"
+
+# fish
+fix shell fish | source
+
+# or auto-install
+fix shell --install
+```
+
+## Safe mode (sandbox)
+
+Default on Linux. Runs fixes in OverlayFS -- changes only committed if verification passes.
+
+```sh
+fix "make build"          # sandbox on Linux by default
+fix --no-safe "make"      # skip sandbox
+fix --safe "make"         # force sandbox
+```
+
+## Verification
+
+```sh
+fix "gcc foo.c"                              # default: re-run, exit 0 = success
+fix --verify=human "python3 render.py"       # human judges
+fix --verify="pytest tests/" "pip install x"  # custom command
+```
+
+## How it works
+
+1. Command fails, stderr captured
+2. Contract built (task, environment, verification terms, escrow)
+3. Agent investigates (read-only commands), then proposes fix
+4. Fix applied, verified mechanically
+5. Multi-attempt: up to 3 tries, feeding failures back as context
+6. Disputes go to an AI judge who reviews the full transcript
+
+## Architecture
+
+- `fix` -- CLI entry point
+- `server/` -- FastAPI platform (contracts, escrow, reputation, judge)
+- `protocol.py` -- state machine, constants
+- `scrubber.py` -- redacts secrets from error output before sending to LLM
+- `contract.py` -- builds structured contracts
+- `client.py` / `agent.py` -- remote mode client and agent
+
+## License
+
+MIT

fix_cli-0.4.0.dist-info/RECORD

@@ -0,0 +1,20 @@
+agent.py,sha256=lJgfoGi8sG7aDOW4oZzLhKooocfjxA93GFFYYXq6L9c,9011
+client.py,sha256=RiIfNfVEjBUQjSQWCwuF9sLyPWDPQBdEL1d3Co1OBWc,6161
+contract.py,sha256=ByfDlNrLIK1NX1143Dam3UyTuhJUK-jvERcCgnYXOio,8923
+crypto.py,sha256=QFeg-6M_Of9ngwbSKBmZElZIMrD9yNuZDkwtlZvgwxY,1997
+fix.py,sha256=Ht-Y_xIZhIqbaMQ_bs0hX2U-OU212ILwmyXFxIl23aA,106096
+protocol.py,sha256=yVkqn-Bf4vT9R-kO7XI9aOQkEwSOJI8VWTngFad6r_0,4775
+scrubber.py,sha256=M0_D6jQu9UxkTif97IhuzrvS13aaTEHfFj34CME1YXA,10585
+fix_cli-0.4.0.dist-info/licenses/LICENSE,sha256=mH6C1emk9xIuoqHqFMJVHAjB2tj7IGoNlrBe1BvZ_Z4,1069
+server/__init__.py,sha256=Ps8KIJbZjQ1hLiux6Z12U6KIzYJ2px2DSIPgTUznIt4,136
+server/app.py,sha256=5zeQSh4-xiZ41AgNWmOja4ydbWTqzx5qzPGM6jlxO_0,44070
+server/escrow.py,sha256=4su1y2bJeXU209IRtR13Lhwe3d2BYBi_oNN77-9PdF0,16922
+server/judge.py,sha256=JPBycMixyQRrB9sAHl5CB7rRm_k-R0YyFxTKMrWRx6E,9804
+server/nano.py,sha256=EaLVkSD1GmJ_OW9vcPXHbuP2oISYSK9qDn6V5sUSWLc,6183
+server/reputation.py,sha256=6SLQO1cgs_m4fD_-G6Kv0hApxCNPAxM7K3EuDVP-r90,5171
+server/store.py,sha256=nDEB4X1AiX1R1JnaYgMK__DhdXIDTc8p7zhHeARiSns,6014
+fix_cli-0.4.0.dist-info/METADATA,sha256=yP-4cjjwgCVVCtsmadb92bIpY3csVjuIG_XNdcttvZY,2885
+fix_cli-0.4.0.dist-info/WHEEL,sha256=YCfwYGOYMi5Jhw2fU4yNgwErybb2IX5PEwBKV4ZbdBo,91
+fix_cli-0.4.0.dist-info/entry_points.txt,sha256=lJgaB_4xLWdxPgGogXU4ktdItAjb132Z_wzBI8UChTg,33
+fix_cli-0.4.0.dist-info/top_level.txt,sha256=LEKHSOT7frBfNsQzRT9SlVYgKjEXE2q7p_iDaMPv5zo,58
+fix_cli-0.4.0.dist-info/RECORD,,

fix_cli-0.4.0.dist-info/WHEEL

@@ -0,0 +1,5 @@
+Wheel-Version: 1.0
+Generator: setuptools (82.0.0)
+Root-Is-Purelib: true
+Tag: py3-none-any
+

fix_cli-0.4.0.dist-info/entry_points.txt

@@ -0,0 +1,2 @@
+[console_scripts]
+fix = fix:main

fix_cli-0.4.0.dist-info/licenses/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 Karan Sharma
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

fix_cli-0.4.0.dist-info/top_level.txt

@@ -0,0 +1,8 @@
+agent
+client
+contract
+crypto
+fix
+protocol
+scrubber
+server

protocol.py

@@ -0,0 +1,142 @@
+"""Shared constants and interfaces for fix v2 protocol.
+
+All modules import from here to avoid circular dependencies.
+"""
+
+from decimal import Decimal
+from enum import Enum
+
+# --- Protocol Constants ---
+
+PROTOCOL_VERSION = 2
+
+DEFAULT_BOUNTY = "0.01"
+DEFAULT_CURRENCY = "XNO"
+DEFAULT_CHAIN = "nano"
+DEFAULT_CANCEL_FEE = "0.002"
+GRACE_PERIOD_SECONDS = 30
+ABANDONMENT_TIMEOUT = 120
+MAX_INVESTIGATION_ROUNDS = 5
+DEFAULT_MAX_ATTEMPTS = 5
+XNO_RAW_PER_UNIT = 10**30
+
+# Execution modes
+MODE_SUPERVISED = "supervised"
+MODE_AUTONOMOUS = "autonomous"
+
+# Review window (autonomous mode): seconds before auto-fulfill
+DEFAULT_REVIEW_WINDOW = 7200  # 2 hours
+
+# Judge defaults
+DEFAULT_JUDGE_FEE = "0.026"  # XNO -- each side stakes this as dispute bond
+DEFAULT_RULING_TIMEOUT = 60  # seconds judge has to rule
+
+# Tiered court system: escalating models and fees
+COURT_TIERS = [
+    {"name": "district",  "model": "claude-haiku-4-5-20251001", "fee": "0.001"},
+    {"name": "appeals",   "model": "claude-sonnet-4-6",         "fee": "0.005"},
+    {"name": "supreme",   "model": "claude-opus-4-6",           "fee": "0.02"},
+]
+MAX_DISPUTE_LEVEL = len(COURT_TIERS) - 1  # supreme is final
+# Bond = sum of all tier fees (covers worst-case full appeal)
+DISPUTE_BOND = str(sum(Decimal(t["fee"]) for t in COURT_TIERS))  # "0.026"
+
+# Platform fee: small deduction from BOTH sides on every resolution
+# Covers platform costs (agent LLM, hosting). Non-refundable.
+PLATFORM_FEE = "0.001"  # XNO per side
+
+# Response window: seconds the other side has to counter-argue in a dispute
+DISPUTE_RESPONSE_WINDOW = 30  # seconds
+
+# Investigation rate limiting
+DEFAULT_INVESTIGATION_RATE = 5  # seconds between commands
+
+
+# --- State Machine ---
+
+class ContractState(Enum):
+    OPEN = "open"
+    INVESTIGATING = "investigating"  # agent bonded, inspecting before accept
+    IN_PROGRESS = "in_progress"
+    REVIEW = "review"  # autonomous mode: fix submitted, awaiting accept/dispute/timeout
+    FULFILLED = "fulfilled"
+    CANCELED = "canceled"
+    BACKED_OUT = "backed_out"
+    DISPUTED = "disputed"
+    HALTED = "halted"
+    RESOLVED = "resolved"
+    VOIDED = "voided"  # judge timeout, all funds returned
+
+
+# Valid state transitions: current_state -> set of valid next states
+STATE_TRANSITIONS = {
+    ContractState.OPEN: {ContractState.INVESTIGATING, ContractState.IN_PROGRESS, ContractState.CANCELED},
+    ContractState.INVESTIGATING: {ContractState.IN_PROGRESS, ContractState.OPEN},  # accept or decline
+    ContractState.IN_PROGRESS: {
+        ContractState.FULFILLED,
+        ContractState.CANCELED,
+        ContractState.BACKED_OUT,
+        ContractState.DISPUTED,
+        ContractState.HALTED,
+        ContractState.REVIEW,
+    },
+    ContractState.REVIEW: {ContractState.FULFILLED, ContractState.DISPUTED, ContractState.CANCELED},
+    ContractState.BACKED_OUT: {ContractState.OPEN},  # reopen
+    ContractState.DISPUTED: {ContractState.RESOLVED, ContractState.VOIDED},
+    ContractState.HALTED: {ContractState.RESOLVED},
+    ContractState.FULFILLED: set(),
+    ContractState.CANCELED: set(),
+    ContractState.RESOLVED: set(),
+    ContractState.VOIDED: set(),
+}
+
+
+# --- Feedback Message Types ---
+
+class FeedbackType(Enum):
+    ACCEPT = "accept"
+    DECLINE = "decline"
+    INVESTIGATE = "investigate"
+    RESULT = "result"
+    VERDICT = "verdict"
+    BACK_OUT = "back_out"
+    HALT = "halt"  # emergency kill by principal
+    ASK = "ask"  # agent asks principal a question
+    ANSWER = "answer"  # principal answers agent
+    MESSAGE = "message"  # general chat (either direction)
+
+
+# --- Verdict Rulings ---
+
+class Ruling(Enum):
+    FULFILLED = "fulfilled"
+    CANCELED = "canceled"
+    IMPOSSIBLE = "impossible"
+    EVIL_AGENT = "evil_agent"
+    EVIL_PRINCIPAL = "evil_principal"
+    EVIL_BOTH = "evil_both"
+
+
+# --- Evil Flags ---
+
+EVIL_FLAGS = {"evil_agent", "evil_principal", "evil_both"}
+
+
+# --- Investigation Command Whitelist ---
+# (re-exported from main fix CLI for agent use)
+
+INVESTIGATE_WHITELIST = {
+    "cat", "head", "tail", "less", "file", "wc", "stat", "md5sum", "sha256sum",
+    "ls", "find", "tree", "du",
+    "grep", "rg", "ag", "awk", "sed",
+    "which", "whereis", "type", "command", "uname", "arch", "lsb_release", "hostnamectl",
+    "dpkg", "apt", "apt-cache", "apt-file", "apt-list", "rpm", "pacman",
+    "pip", "pip3", "npm", "gem", "cargo", "rustc",
+    "python3", "python", "node", "gcc", "g++", "make", "cmake", "java", "go", "ruby",
+    "clang", "clang++", "ld", "as", "nasm",
+    "env", "printenv", "echo", "id", "whoami", "pwd", "hostname",
+    "lsmod", "lscpu", "free", "df", "mount", "ip", "ss", "ps",
+    "journalctl", "dmesg",
+    "readlink", "realpath", "basename", "dirname", "diff", "cmp",
+    "strings", "nm", "ldd", "objdump", "pkg-config", "test", "timeout",
+}

scrubber.py

@@ -0,0 +1,355 @@
+"""Output redaction engine for fix v2.
+
+Scrubs sensitive data from text before it leaves the machine.
+Runs on every outbound message: investigation results, error output, contracts.
+
+Each category can be independently toggled. False positives are safer than leaks.
+This is a best-effort seatbelt, not a security boundary. The real protection
+is the overlay sandbox hiding sensitive files from the command in the first place.
+"""
+
+import re
+import os
+import math
+
+# --- Pattern categories ---
+
+# Environment variable assignments: KEY=value
+_RE_ENV_ASSIGN = re.compile(
+    r'''(?:^|(?<=\s))([A-Z_][A-Z0-9_]{2,})=(["']?)(.+?)\2(?:\s|$)''',
+    re.MULTILINE
+)
+
+# Known secret prefixes: API keys, tokens, passwords
+_RE_TOKENS = re.compile(
+    r'(?:'
+    # Cloud provider keys
+    r'sk-[A-Za-z0-9_-]{20,}'            # Anthropic/OpenAI
+    r'|sk_live_[A-Za-z0-9]{20,}'        # Stripe secret
+    r'|pk_live_[A-Za-z0-9]{20,}'        # Stripe publishable
+    r'|rk_live_[A-Za-z0-9]{20,}'        # Stripe restricted
+    r'|AKIA[A-Z0-9]{16}(?:/[A-Za-z0-9/+]{20,})?' # AWS access key (+ optional secret)
+    r'|AIza[A-Za-z0-9_-]{35}'           # Google API key
+    r'|ya29\.[A-Za-z0-9_-]+'            # Google OAuth token
+    r'|SG\.[A-Za-z0-9_-]{20,}\.[A-Za-z0-9_-]{20,}'  # SendGrid
+    r'|sk-ant-[A-Za-z0-9_-]{20,}'       # Anthropic specific
+    # Git forges
+    r'|ghp_[A-Za-z0-9]{30,}'            # GitHub PAT
+    r'|gho_[A-Za-z0-9]{30,}'            # GitHub OAuth
+    r'|ghu_[A-Za-z0-9]{30,}'            # GitHub user token
+    r'|ghs_[A-Za-z0-9]{30,}'            # GitHub server token
+    r'|github_pat_[A-Za-z0-9_]{30,}'    # GitHub fine-grained PAT
+    r'|glpat-[A-Za-z0-9_-]{20,}'        # GitLab PAT
+    # Messaging/SaaS
+    r'|xox[bsapr]-[A-Za-z0-9-]+'        # Slack tokens
+    r'|SK[a-f0-9]{32}'                   # Twilio API key
+    r'|AC[a-f0-9]{32}'                   # Twilio account SID
+    r'|sq0[a-z]{3}-[A-Za-z0-9_-]{22,}'  # Square
+    # Generic patterns
+    r'|Bearer\s+[A-Za-z0-9._~+/=-]{20,}'  # Bearer tokens
+    r'|token=[A-Za-z0-9._~+/=-]{10,}'
+    r'|password=[^\s&]{3,}'
+    r'|passwd=[^\s&]{3,}'
+    r'|secret=[^\s&]{3,}'
+    r'|api[_-]?key=[^\s&]{3,}'
+    r')'
+)
+
+# Private key blocks (PEM format)
+_RE_PRIVATE_KEY = re.compile(
+    r'-----BEGIN[A-Z ]*PRIVATE KEY-----[\s\S]*?-----END[A-Z ]*PRIVATE KEY-----'
+)
+
+# JWTs: three base64url segments separated by dots
+_RE_JWT = re.compile(
+    r'\beyJ[A-Za-z0-9_-]{10,}\.eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\b'
+)
+
+# Connection strings with credentials
+_RE_CONN_STRING = re.compile(
+    r'(?:mongodb(?:\+srv)?|postgres(?:ql)?|mysql|redis|amqp|mssql)'
+    r'://[^\s]*:[^\s]*@[^\s]+'
+)
+
+# Git remote URLs with embedded credentials
+_RE_GIT_CRED_URL = re.compile(
+    r'https?://[A-Za-z0-9._%-]+:[A-Za-z0-9._%-]+@[^\s]+'
+)
+
+# HTTP auth headers in output
+_RE_HTTP_AUTH = re.compile(
+    r'(?:Authorization|Cookie|X-API-Key|X-Auth-Token|X-Secret)'
+    r'\s*[:=]\s*.+',
+    re.IGNORECASE
+)
+
+# Credit card numbers (4 groups of 4 digits, with optional separators)
+_RE_CREDIT_CARD = re.compile(
+    r'\b(?:\d{4}[\s-]?){3}\d{4}\b'
+)
+
+# SSN
+_RE_SSN = re.compile(
+    r'\b\d{3}-\d{2}-\d{4}\b'
+)
+
+# Phone numbers (US and international)
+_RE_PHONE = re.compile(
+    r'(?:'
+    r'\+\d{1,3}[\s.-]?\(?\d{1,4}\)?[\s.-]?\d{1,4}[\s.-]?\d{1,9}'  # international
+    r'|\b\(?\d{3}\)?[\s.-]\d{3}[\s.-]\d{4}\b'                       # US format
+    r')'
+)
+
+# TOTP/OTP URIs
+_RE_TOTP = re.compile(
+    r'otpauth://[^\s]+'
+)
+
+# Home directory paths: /home/username/ -> /home/[USER]/
+_RE_HOME_PATH = None  # compiled lazily with actual username
+
+# IPv4 addresses
+_RE_IPV4 = re.compile(
+    r'\b(?:'
+    r'(?:10\.(?:\d{1,3}\.){2}\d{1,3})'
+    r'|(?:172\.(?:1[6-9]|2\d|3[01])\.\d{1,3}\.\d{1,3})'
+    r'|(?:192\.168\.\d{1,3}\.\d{1,3})'
+    r'|(?:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})'
+    r')\b'
+)
+
+# Email addresses
+_RE_EMAIL = re.compile(
+    r'\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b'
+)
+
+# High-entropy hex strings (likely keys/hashes — 64+ hex chars)
+_RE_HEX_SECRET = re.compile(
+    r'\b[0-9a-fA-F]{64,}\b'
+)
+
+
+def _get_home_re():
+    """Lazily compile home path regex for current user."""
+    global _RE_HOME_PATH
+    if _RE_HOME_PATH is None:
+        username = os.environ.get("USER") or os.environ.get("LOGNAME") or ""
+        if username:
+            home = os.path.expanduser("~")
+            escaped = re.escape(home)
+            _RE_HOME_PATH = re.compile(escaped + r'(?=/|$|\s)')
+        else:
+            _RE_HOME_PATH = re.compile(r'/home/[a-z_][a-z0-9_-]*(?=/|$|\s)')
+    return _RE_HOME_PATH
+
+
+def _luhn_check(num_str):
+    """Luhn algorithm to validate credit card numbers."""
+    digits = [int(d) for d in num_str if d.isdigit()]
+    if len(digits) != 16:
+        return False
+    checksum = 0
+    for i, d in enumerate(reversed(digits)):
+        if i % 2 == 1:
+            d *= 2
+            if d > 9:
+                d -= 9
+        checksum += d
+    return checksum % 10 == 0
+
+
+def _entropy(s):
+    """Shannon entropy of a string (bits per character)."""
+    if not s:
+        return 0
+    freq = {}
+    for c in s:
+        freq[c] = freq.get(c, 0) + 1
+    length = len(s)
+    return -sum((count / length) * math.log2(count / length) for count in freq.values())
+
+
+# Environment variables that are NOT sensitive
+_ENV_SAFE = {
+    "DISPLAY", "WAYLAND_DISPLAY", "XDG_RUNTIME_DIR", "XDG_SESSION_TYPE",
+    "XDG_SESSION_CLASS", "XDG_SESSION_ID", "XDG_SEAT", "XDG_VTNR",
+    "XDG_SEAT_PATH", "XDG_SESSION_PATH", "XDG_CONFIG_DIRS", "XDG_DATA_DIRS",
+    "XDG_CURRENT_DESKTOP", "XDG_SESSION_DESKTOP", "XDG_MENU_PREFIX",
+    "SHELL", "TERM", "LANG", "LANGUAGE", "LC_ALL", "LC_CTYPE",
+    "HOME", "USER", "LOGNAME", "PATH", "PWD", "OLDPWD", "HOSTNAME",
+    "EDITOR", "VISUAL", "PAGER", "COLORTERM", "TERM_PROGRAM",
+    "DBUS_SESSION_BUS_ADDRESS", "SSH_AUTH_SOCK",
+    "DESKTOP_SESSION", "SESSION_MANAGER", "GDMSESSION",
+    "QT_ACCESSIBILITY", "QT_IM_MODULE", "GTK_IM_MODULE",
+}
+
+
+# --- Scrub functions ---
+
+def _scrub_env_vars(text):
+    """Redact KEY=value assignments, preserving non-sensitive system vars."""
+    def repl(m):
+        key = m.group(1)
+        if key in _ENV_SAFE:
+            return m.group(0)
+        quote = m.group(2)
+        return f"{key}={quote}[REDACTED]{quote} "
+    return _RE_ENV_ASSIGN.sub(repl, text)
+
+
+def _scrub_tokens(text):
+    """Redact known secret patterns (API keys, vendor tokens)."""
+    return _RE_TOKENS.sub("[REDACTED]", text)
+
+
+def _scrub_private_keys(text):
+    """Redact PEM private key blocks."""
+    return _RE_PRIVATE_KEY.sub("[REDACTED_PRIVATE_KEY]", text)
+
+
+def _scrub_jwts(text):
+    """Redact JSON Web Tokens."""
+    return _RE_JWT.sub("[REDACTED_JWT]", text)
+
+
+def _scrub_conn_strings(text):
+    """Redact database/service connection strings with credentials."""
+    return _RE_CONN_STRING.sub("[REDACTED_CONNECTION_STRING]", text)
+
+
+def _scrub_git_creds(text):
+    """Redact git remote URLs with embedded credentials."""
+    return _RE_GIT_CRED_URL.sub("[REDACTED_URL]", text)
+
+
+def _scrub_http_auth(text):
+    """Redact HTTP auth headers."""
+    return _RE_HTTP_AUTH.sub("[REDACTED_HEADER]", text)
+
+
+def _scrub_credit_cards(text):
+    """Redact credit card numbers (with Luhn validation to reduce false positives)."""
+    def repl(m):
+        if _luhn_check(m.group(0)):
+            return "[REDACTED_CC]"
+        return m.group(0)
+    return _RE_CREDIT_CARD.sub(repl, text)
+
+
+def _scrub_ssn(text):
+    """Redact Social Security Numbers."""
+    return _RE_SSN.sub("[REDACTED_SSN]", text)
+
+
+def _scrub_phone(text):
+    """Redact phone numbers."""
+    return _RE_PHONE.sub("[REDACTED_PHONE]", text)
+
+
+def _scrub_totp(text):
+    """Redact TOTP/OTP URIs."""
+    return _RE_TOTP.sub("[REDACTED_TOTP]", text)
+
+
+def _scrub_paths(text):
+    """Replace /home/username/ with /home/[USER]/."""
+    home_re = _get_home_re()
+    return home_re.sub("/home/[USER]", text)
+
+
+def _scrub_ips(text):
+    """Redact IP addresses, preserving localhost."""
+    def repl(m):
+        ip = m.group(0)
+        if ip in ("127.0.0.1", "0.0.0.0"):
+            return ip
+        return "[REDACTED_IP]"
+    return _RE_IPV4.sub(repl, text)
+
+
+def _scrub_emails(text):
+    """Redact email addresses."""
+    return _RE_EMAIL.sub("[REDACTED_EMAIL]", text)
+
+
+def _scrub_hex_secrets(text):
+    """Redact long high-entropy hex strings (likely keys/hashes)."""
+    def repl(m):
+        s = m.group(0)
+        if _entropy(s) > 3.5:  # random hex is ~4.0, repeated patterns are lower
+            return "[REDACTED_HEX]"
+        return s
+    return _RE_HEX_SECRET.sub(repl, text)
+
+
+# Category name -> scrub function (order matters: specific before generic)
+SCRUBBERS = {
+    "private_keys": _scrub_private_keys,
+    "tokens": _scrub_tokens,
+    "jwts": _scrub_jwts,
+    "conn_strings": _scrub_conn_strings,
+    "git_creds": _scrub_git_creds,
+    "http_auth": _scrub_http_auth,
+    "totp": _scrub_totp,
+    "credit_cards": _scrub_credit_cards,
+    "ssn": _scrub_ssn,
+    "phone": _scrub_phone,
+    "env_vars": _scrub_env_vars,
+    "paths": _scrub_paths,
+    "ips": _scrub_ips,
+    "emails": _scrub_emails,
+    "hex_secrets": _scrub_hex_secrets,
+}
+
+# All categories enabled by default
+DEFAULT_CATEGORIES = set(SCRUBBERS.keys())
+
+
+def scrub(text, config=None):
+    """Scrub sensitive data from text.
+
+    Args:
+        text: The text to scrub.
+        config: Optional dict with:
+            - categories: list of category names to enable (default: all)
+            - custom_patterns: list of (pattern, replacement) tuples
+
+    Returns:
+        (scrubbed_text, matched_categories) tuple.
+        matched_categories is a set of category names that had matches.
+    """
+    if isinstance(text, bytes):
+        return text, set()
+    if text is None:
+        return "", set()
+    if not text:
+        return text, set()
+
+    if config and "categories" in config:
+        categories = set(config["categories"])
+    else:
+        categories = DEFAULT_CATEGORIES
+
+    matched = set()
+    result = text
+
+    for cat_name in categories:
+        fn = SCRUBBERS.get(cat_name)
+        if fn is None:
+            continue
+        scrubbed = fn(result)
+        if scrubbed != result:
+            matched.add(cat_name)
+            result = scrubbed
+
+    # Custom patterns
+    if config and config.get("custom_patterns"):
+        for pattern, replacement in config["custom_patterns"]:
+            compiled = re.compile(pattern)
+            new_result = compiled.sub(replacement, result)
+            if new_result != result:
+                matched.add("custom")
+                result = new_result
+
+    return result, matched

server/__init__.py

@@ -0,0 +1,8 @@
+"""Fix platform server.
+
+App factory for the centralized fix platform.
+"""
+
+from server.app import create_app
+
+__all__ = ["create_app"]