v0.12.0 — autofix for SQL injection

Turns the tool from a detector that generates work into one that resolves it. For SQL-injection findings, it generates the parameterized-query fix and can apply it.

[suggested fix] sql-injection - UserRepository.java:34 (low confidence)
  use a parameterized query (1 bound parameter)
  - return jdbc.query("SELECT * FROM users WHERE name = '" + name + "'", mapper);
  + return jdbc.query("SELECT * FROM users WHERE name = ?", mapper, name);

• scan --src <dir> --suggest-fixes — show the fix as a diff, change nothing.
• --fix — apply high-confidence fixes (short single-method flows) to the source; cross-layer ones are shown but left for review. --fix-confidence all applies every suggestion.

The concatenation becomes a ?-placeholder query and the interpolated values become bound parameters (surrounding quotes are dropped); execute(String) becomes update(String, Object...). The rewrite uses JavaParser and preserves the file's formatting, so the diff is minimal.

Verified end-to-end: applying the fixes drops the benchmark's SQL findings from 15 to 1 (the remaining one is R2DBC DatabaseClient, a different binding idiom and out of scope) and the patched code compiles.

Scope by design: JdbcTemplate query/update/execute whose argument is a string concatenation — anything else is left untouched rather than guessed at, because a wrong fix is worse than none.