Module auto_fix 

Auto-fix suggestion logic for SARIF output. Auto-fix suggestions: turn each finding into “replace this credential with ${ENV_VAR_NAME}” advice.

Tier-B moat innovation #15 + #17 from audits/legendary-2026-04-26: moves keyhog from “find” to “fix.” We surface the suggestion in SARIF result.fixes[] per the v2.2.0 spec; CLI consumers can apply the edit interactively or in a pre-commit hook.

This module provides only the SUGGESTION step (deterministic env-var name from service + the ${VAR} replacement string). Actually rewriting files belongs in the CLI, where we can prompt the user before clobbering their working tree.

Functions

env_var_name_for_service

Map a detector’s service string to a conventional environment-variable name. Falls back to <UPPER_SERVICE>_KEY when the service isn’t in the curated map.

fix_replacement_text

Render the ${ENV_VAR_NAME} shell-interpolation replacement string for a detector. Reporters embed this in their fixes[] output. Return the recommended replacement text for a leaked credential (e.g., “${STRIPE_KEY}”).