FixGuard

A verifiable, local-first CLI system for safe code evolution.

Features

- 🔍 Multi-language support - TypeScript, JavaScript, Python, and more
- 🛡️ Security hardening - OWASP-compliant checks and fixes
- ⏪ Rollback support - Every change can be undone
- 📊 Comprehensive reporting - Markdown, JSON, and SARIF formats
- 🔒 Safe by design - Tools and tests are the judges, never AI

Installation

``bash

`Clone the repository`


git clone https://github.com/your-org/fixguard.git
cd fixguard
Install Node.js dependencies

npm install
Install Python dependencies

cd python && pip install -e ".[dev]" && cd ..
Build TypeScript

npm run build
Link globally (optional)

npm link


Usage
$3

bash
fixguard scan .

$3

bash
fixguard scan . --auto-fix

$3

bash
fixguard scan . --mode=guided-refactor

$3

bash
fixguard scan . --ci

$3

bash
fixguard report .
fixguard report . --format=json
fixguard report . --format=sarif

$3

bash
fixguard rollback 
fixguard rollback  --dry-run


Execution Modes

| Mode | Description | Auto-fix | Refactor | Interactive | |------|-------------|----------|----------|-------------| |observe| Read-only analysis (default) | ❌ | ❌ | ✅ | |safe-fix| Low-risk fixes only | ✅ | ❌ | ✅ | |guided-refactor| Proposals + approval | ✅ | ✅ | ✅ | |ci | Strict, non-interactive | ❌ | ❌ | ❌ |

`Core Principles`

1. AI has zero authority - Tools and tests decide 2. Every change is verifiable - Backed by tests 3. Every change is reversible - Snapshot and rollback 4. Every action is logged - Immutable run logs 5. If uncertain → report, don't guess

`Architecture`

`┌─────────────────────────────────────────────────────┐ │ TypeScript Layer │ │ (Orchestration - "What Happens") │ ├─────────────────────────────────────────────────────┤ │ CLI │ Detection │ Decision │ Snapshots │ │ │ │ Engine │ & Rollback │ └────────────────────────┬────────────────────────────┘ │ JSON Bridge ┌────────────────────────▼────────────────────────────┐ │ Python Layer │ │ (Transformation - "How Code Changes") │ ├─────────────────────────────────────────────────────┤ │ Analyzers │ Fixers │ Security │ Testing │ │ (ESLint, │ (Rule- │ Hardening │ (Test Gen) │ │ Ruff...) │ based) │ (OWASP) │ │ └─────────────────────────────────────────────────────┘``

Security Hardening

FixGuard checks and hardens:

- Rate limiting on public endpoints
- Input validation and sanitization
- Secret handling (no hardcoded keys)
- SQL injection prevention
- XSS prevention

All security fixes follow OWASP Top 10 best practices.

License

MIT