Autonoma fixes hardcoded secrets automatically — but only when it's confident the fix is safe. If it can't guarantee safety, it refuses and tells you why.
Before: SENDGRID_API_KEY = "SG.live-abc123xyz987"
After: SENDGRID_API_KEY = os.getenv("SENDGRID_API_KEY")
When it can't fix safely: API_KEY = "sk-live-abc123" → REFUSED — could not guarantee safe replacement
Tested on a real public repo with live exposed Azure Vision and OpenAI API keys. Fixed both. Refused one edge case. Nothing else touched.
MIT licensed. Runs locally. No telemetry.