cycode 3.16.1.dev7__py3-none-any.whl → 3.16.1.dev8__py3-none-any.whl

cycode/__init__.py

@@ -1 +1,8 @@
-__version__ = '3.16.1.dev7'  # DON'T TOUCH. Placeholder. Will be filled automatically on poetry build from Git Tag
+import time as _time
+
+# Unix-epoch wall clock captured at the earliest possible moment of CLI
+# startup. Sent as `scan_parameters.cli_start_time` so the server can compute
+# end-to-end scan duration from the moment the user actually triggered it.
+_BOOT_WALL: float = _time.time()
+
+__version__ = '3.16.1.dev8'  # DON'T TOUCH. Placeholder. Will be filled automatically on poetry build from Git Tag

cycode/cli/app.py

@@ -1,3 +1,4 @@
+import importlib
 import logging
 import sys
 from typing import Annotated, Optional
@@ -10,12 +11,7 @@ from typer._completion_shared import Shells
 from typer.completion import install_callback, show_callback
 
 from cycode import __version__
-from cycode.cli.apps import ai_guardrails, ai_remediation, auth, configure, ignore, report, report_import, scan, status
 from cycode.cli.apps.api import get_platform_group
-
-if sys.version_info >= (3, 10):
-    from cycode.cli.apps import mcp
-
 from cycode.cli.cli_types import OutputTypeOption
 from cycode.cli.consts import CLI_CONTEXT_SETTINGS
 from cycode.cli.printers import ConsolePrinter
@@ -46,17 +42,88 @@ app = typer.Typer(
     add_completion=False,  # we add it manually to control the rich help panel
 )
 
-app.add_typer(ai_guardrails.app)
-app.add_typer(ai_remediation.app)
-app.add_typer(auth.app)
-app.add_typer(configure.app)
-app.add_typer(ignore.app)
-app.add_typer(report.app)
-app.add_typer(report_import.app)
-app.add_typer(scan.app)
-app.add_typer(status.app)
+# Top-level subcommand → module providing its Typer app. Peeking at sys.argv
+# lets us import only the invoked subapp on the hot path (e.g.
+# `cycode ai-guardrails scan`), skipping ~300ms of unrelated imports.
+_SUBAPP_MODULES: dict[str, str] = {
+    'ai-guardrails': 'cycode.cli.apps.ai_guardrails',
+    'ai-remediation': 'cycode.cli.apps.ai_remediation',
+    'auth': 'cycode.cli.apps.auth',
+    'configure': 'cycode.cli.apps.configure',
+    'ignore': 'cycode.cli.apps.ignore',
+    'report': 'cycode.cli.apps.report',
+    'import': 'cycode.cli.apps.report_import',
+    'scan': 'cycode.cli.apps.scan',
+    'status': 'cycode.cli.apps.status',
+}
 if sys.version_info >= (3, 10):
-    app.add_typer(mcp.app)
+    _SUBAPP_MODULES['mcp'] = 'cycode.cli.apps.mcp'
+
+# Aliases: alternate spellings that resolve to a primary subcommand key.
+_SUBAPP_ALIASES: dict[str, str] = {
+    'ai_remediation': 'ai-remediation',  # backward-compat underscore form
+    'version': 'status',
+}
+
+# Root-level options that consume a following value; argv-peek must skip past
+# both the option and its value when scanning for the first positional arg.
+_ROOT_OPTS_WITH_VALUE = frozenset(
+    {
+        '--output',
+        '-o',
+        '--user-agent',
+        '--client-secret',
+        '--client-id',
+        '--id-token',
+        '--show-completion',
+    }
+)
+
+
+def _detect_invocation() -> tuple[Optional[str], Optional[str]]:
+    """Return (top-level-subapp, second-level-subcommand) parsed from sys.argv.
+
+    Both values may be None: when no positional arg matches a known subapp,
+    or when the user only provided a top-level subcommand.
+    """
+    positionals = []
+    args = sys.argv[1:]
+    i = 0
+    while i < len(args):
+        arg = args[i]
+        if arg in _ROOT_OPTS_WITH_VALUE:
+            i += 2
+        elif arg.startswith('-'):
+            # Any flag form: short, long, --key=value, or '--' marker. Skip the token only.
+            i += 1
+        else:
+            positionals.append(arg)
+            if len(positionals) >= 2:
+                break
+            i += 1
+    subapp = positionals[0] if positionals else None
+    subapp = _SUBAPP_ALIASES.get(subapp, subapp)
+    if subapp not in _SUBAPP_MODULES:
+        return None, None
+    subcommand = positionals[1] if len(positionals) >= 2 else None
+    return subapp, subcommand
+
+
+# Computed once at import; reused by lazy registration and the version-checker skip.
+_INVOKED_SUBAPP, _INVOKED_SUBCOMMAND = _detect_invocation()
+
+
+def _register_subapps(only: Optional[str]) -> None:
+    if only is not None:
+        app.add_typer(importlib.import_module(_SUBAPP_MODULES[only]).app)
+        return
+    # Cold path (--help, completion, unknown subcommand): load all modules so
+    # root help lists everything. Deduplicate since aliases share modules.
+    for module_path in dict.fromkeys(_SUBAPP_MODULES.values()):
+        app.add_typer(importlib.import_module(module_path).app)
+
+
+_register_subapps(_INVOKED_SUBAPP)
 
 # Register the `platform` command group (dynamically built from the OpenAPI spec).
 # The group itself is constructed cheaply at import time; the spec is only fetched
@@ -81,6 +148,12 @@ typer.main.get_group = _get_group_with_platform
 
 
 def check_latest_version_on_close(ctx: typer.Context) -> None:
+    # Skip on `cycode ai-guardrails scan` — it emits JSON to stdout, so an
+    # upgrade notice would corrupt the response. Human-driven sibling commands
+    # (install, uninstall, status, session-start) still get the notice.
+    if (_INVOKED_SUBAPP, _INVOKED_SUBCOMMAND) == ('ai-guardrails', 'scan'):
+        return
+
     output = ctx.obj.get('output')
     # don't print anything if the output is JSON
     if output == OutputTypeOption.JSON:

cycode/cli/apps/scan/code_scanner.py

@@ -204,18 +204,21 @@ def _get_scan_documents_thread_func(
                 'zip_file_size': zip_file_size,
             },
         )
-        report_scan_status(
-            cycode_client,
-            scan_type,
-            scan_id,
-            scan_completed,
-            relevant_detections_count,
-            detections_count,
-            len(batch),
-            zip_file_size,
-            command_scan_type,
-            error_message,
-        )
+        # Sync flows already received the full result inline; only async flows
+        # need a separate status report to signal polling completion.
+        if not should_use_sync_flow:
+            report_scan_status(
+                cycode_client,
+                scan_type,
+                scan_id,
+                scan_completed,
+                relevant_detections_count,
+                detections_count,
+                len(batch),
+                zip_file_size,
+                command_scan_type,
+                error_message,
+            )
 
         return scan_id, error, local_scan_result
 

cycode/cli/apps/scan/scan_parameters.py

@@ -2,6 +2,7 @@ from typing import Optional
 
 import typer
 
+from cycode import _BOOT_WALL
 from cycode.cli.apps.scan.remote_url_resolver import get_remote_url_scan_parameter
 from cycode.cli.utils.scan_utils import generate_unique_scan_id
 from cycode.logger import get_logger
@@ -17,6 +18,7 @@ def _get_default_scan_parameters(ctx: typer.Context) -> dict:
         'license_compliance': ctx.obj.get('license-compliance'),
         'command_type': ctx.info_name.replace('-', '_'),  # save backward compatibility
         'aggregation_id': str(generate_unique_scan_id()),
+        'cli_start_time': _BOOT_WALL,
     }
 
 

cycode/cli/apps/scan/scan_result.py

@@ -189,6 +189,10 @@ def enrich_scan_result_with_data_from_detection_rules(
         for detection in detections_per_file.detections:
             detection_rule_ids.add(detection.detection_rule_id)
 
+    if not detection_rule_ids:
+        logger.debug('No detections to enrich, skipping detection_rules fetch')
+        return
+
     detection_rules = cycode_client.get_detection_rules(detection_rule_ids)
     detection_rules_by_id = {detection_rule.detection_rule_id: detection_rule for detection_rule in detection_rules}
 

cycode/cyclient/base_token_auth_client.py

@@ -24,19 +24,10 @@ class BaseTokenAuthClient(CycodeClient, ABC):
         self.client_id = client_id
 
         self._credentials_manager = CredentialsManager()
-        # load cached access token
-        access_token, expires_in, creator = self._credentials_manager.get_access_token()
-
-        self._access_token = self._expires_in = None
-        expected_creator = self._create_jwt_creator()
-        if creator == expected_creator:
-            # we must be sure that cached access token is created using the same client id and client secret.
-            # because client id and client secret could be passed via command, via env vars or via config file.
-            # we must not use cached access token if client id or client secret was changed.
-            self._access_token = access_token
-            self._expires_in = arrow.get(expires_in) if expires_in else None
-
+        self._access_token = None
+        self._expires_in = None
         self._lock = Lock()
+        self._load_token_from_disk()
 
     def get_access_token(self) -> str:
         with self._lock:
@@ -51,8 +42,30 @@ class BaseTokenAuthClient(CycodeClient, ABC):
             self._credentials_manager.update_access_token(None, None, None)
 
     def refresh_access_token_if_needed(self) -> None:
-        if self._access_token is None or self._expires_in is None or arrow.utcnow() >= self._expires_in:
-            self.refresh_access_token()
+        if self._has_valid_token():
+            return
+        # Re-check disk before doing the network refresh: another client instance
+        # in this process may have already refreshed and persisted a fresh token.
+        self._load_token_from_disk()
+        if self._has_valid_token():
+            return
+        self.refresh_access_token()
+
+    def _has_valid_token(self) -> bool:
+        return self._access_token is not None and self._expires_in is not None and arrow.utcnow() < self._expires_in
+
+    def _load_token_from_disk(self) -> None:
+        access_token, expires_in, creator = self._credentials_manager.get_access_token()
+        expected_creator = self._create_jwt_creator()
+        # We must be sure that cached access token is created using the same client id and client secret.
+        # Because client id and client secret could be passed via command, via env vars or via config file.
+        # We must not use cached access token if client id or client secret was changed.
+        if creator == expected_creator and access_token:
+            self._access_token = access_token
+            self._expires_in = arrow.get(expires_in) if expires_in else None
+        else:
+            self._access_token = None
+            self._expires_in = None
 
     def refresh_access_token(self) -> None:
         auth_response = self._request_new_access_token()

cycode/cyclient/cycode_client_base.py

@@ -1,3 +1,4 @@
+import functools
 import os
 import platform
 import ssl
@@ -39,16 +40,29 @@ class SystemStorageSslContext(HTTPAdapter):
         conn.ca_certs = None
 
 
+@functools.cache
+def _get_session() -> requests.Session:
+    """Process-wide Session so TCP+TLS connections are reused across all API calls."""
+    session = requests.Session()
+    # On Windows without an explicit CA bundle env var, fall back to the system
+    # trust store via a custom SSL context.
+    if platform.system() == 'Windows' and not (
+        os.environ.get('REQUESTS_CA_BUNDLE') or os.environ.get('CURL_CA_BUNDLE')
+    ):
+        session.mount('https://', SystemStorageSslContext())
+    return session
+
+
 def _get_request_function() -> Callable:
-    if os.environ.get('REQUESTS_CA_BUNDLE') or os.environ.get('CURL_CA_BUNDLE'):
-        return requests.request
+    return _get_session().request
 
-    if platform.system() != 'Windows':
-        return requests.request
 
-    session = requests.Session()
-    session.mount('https://', SystemStorageSslContext())
-    return session.request
+def _log_response(response: Response, url: str, hide_response_content_log: bool) -> None:
+    content = 'HIDDEN' if hide_response_content_log else response.text
+    logger.debug(
+        'Receiving response, %s',
+        {'status_code': response.status_code, 'url': url, 'content': content},
+    )
 
 
 _REQUEST_ERRORS_TO_RETRY = (
@@ -182,12 +196,7 @@ class CycodeClientBase:
             response = _get_request_function()(
                 method='post', url=url, data=tracker, headers=headers, timeout=self.timeout
             )
-
-            content = 'HIDDEN' if hide_response_content_log else response.text
-            logger.debug(
-                'Receiving response, %s',
-                {'status_code': response.status_code, 'url': url, 'content': content},
-            )
+            _log_response(response, url, hide_response_content_log)
 
             response.raise_for_status()
             return response
@@ -231,14 +240,8 @@ class CycodeClientBase:
 
         try:
             headers = self.get_request_headers(headers, without_auth=without_auth)
-            request = _get_request_function()
-            response = request(method=method, url=url, timeout=timeout, headers=headers, **kwargs)
-
-            content = 'HIDDEN' if hide_response_content_log else response.text
-            logger.debug(
-                'Receiving response, %s',
-                {'status_code': response.status_code, 'url': url, 'content': content},
-            )
+            response = _get_request_function()(method=method, url=url, timeout=timeout, headers=headers, **kwargs)
+            _log_response(response, url, hide_response_content_log)
 
             response.raise_for_status()
             return response

{cycode-3.16.1.dev7.dist-info → cycode-3.16.1.dev8.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: cycode
-Version: 3.16.1.dev7
+Version: 3.16.1.dev8
 Summary: Boost security in your dev lifecycle via SAST, SCA, Secrets & IaC scanning.
 License-Expression: MIT
 License-File: LICENCE

{cycode-3.16.1.dev7.dist-info → cycode-3.16.1.dev8.dist-info}/RECORD

@@ -1,7 +1,7 @@
-cycode/__init__.py,sha256=5B0uQpQ89sImWJL007hvzWjchwgJBFIKiQtxtmYyQ6Y,115
+cycode/__init__.py,sha256=siI5hylQu6psc8BhJ8mJVZy2tus_WWs4FzFOEgJbEqg,396
 cycode/__main__.py,sha256=Z3bD5yrA7yPvAChcADQrqCaZd0ChGI1gdiwALwbWJ6U,104
 cycode/cli/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-cycode/cli/app.py,sha256=7ReEcVkRX9IaQ2I7jAj7Sl9smbtvxiuK8-9bitMEQik,7491
+cycode/cli/app.py,sha256=AlR2durAEbsa47PDfIj7JtMvJDWA_Dq6wPtVuMJYSCs,10250
 cycode/cli/apps/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 cycode/cli/apps/activation_manager.py,sha256=Hz9PDJFB-ZmYi4HSG8iYC-fR8j5v25VuUU-l95Otsdk,1678
 cycode/cli/apps/ai_guardrails/__init__.py,sha256=NsqB1Ca83BIjJMcDSt6suec6Ed0iNnacC0gBqkuuTtI,1367
@@ -64,7 +64,7 @@ cycode/cli/apps/report_import/sbom/sbom_command.py,sha256=uWvBhVdROHcHsjoR3l44h3
 cycode/cli/apps/sca_options.py,sha256=-3iXoJV5qOkfjr-WGIWuAgaeNYeItJIbm2n6O2Kg5D8,1666
 cycode/cli/apps/scan/__init__.py,sha256=-q1AIBnrQ4GP0CVKFLr_2CdWf9TBQC90ejSL4I7rxuA,2444
 cycode/cli/apps/scan/aggregation_report.py,sha256=8f9kPfO7biNf5OsDZG6UhMPqG6ymoFrX5GBtlEIfFAg,1540
-cycode/cli/apps/scan/code_scanner.py,sha256=IoU3dAFSXa4o0W8FggTUrgEonI0OYqREuG34i0XBumI,16865
+cycode/cli/apps/scan/code_scanner.py,sha256=jjUzi2yueS0TrW4lo_vkkz1KMoBJfwjCCsKeSmoPW2A,17099
 cycode/cli/apps/scan/commit_history/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 cycode/cli/apps/scan/commit_history/commit_history_command.py,sha256=zTVmN8yeLXGAiCbyDL-EyEzSPNLzcRpP2q6Qq7p4uZA,1011
 cycode/cli/apps/scan/commit_range_scanner.py,sha256=axFs--Xcb3I7D_SJHtBNE810qyCsSzLqPn_rD_8Peb8,17172
@@ -84,8 +84,8 @@ cycode/cli/apps/scan/scan_ci/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NM
 cycode/cli/apps/scan/scan_ci/ci_integrations.py,sha256=3ZUv1uLsHC13KTNQ4erQKKDXAkmaSm5jow2Utwr4mCw,1634
 cycode/cli/apps/scan/scan_ci/scan_ci_command.py,sha256=37I6YTs5UWYtbnDe1EeYZnhV1twFTDUrniZ4Sf2_6Kk,562
 cycode/cli/apps/scan/scan_command.py,sha256=n3bzGjB5CSmLRfFn6-pLBhrlOCDTRz2Kfn2L_J1l0io,7916
-cycode/cli/apps/scan/scan_parameters.py,sha256=66Ft8c_L6_BxDvRgJoXP5ItUQfzSHGF_XJWBdQismrg,1341
-cycode/cli/apps/scan/scan_result.py,sha256=mIxALi_qUfXHoauSU7SknX0xLp8P9WdhV3oFc8jp_SA,8497
+cycode/cli/apps/scan/scan_parameters.py,sha256=x0UPwLQx85SW-pdPG6bNkChmnBXhWA8lnUCdY08urq8,1409
+cycode/cli/apps/scan/scan_result.py,sha256=hTPB2wnsbqSNqAxhWN4P7_ygDN_j5Mufs_shIb0FJU4,8624
 cycode/cli/apps/status/__init__.py,sha256=uxfkEBafO7Da0mPc1fZhwoO0RTtyXp2a5T3LJTZxubU,371
 cycode/cli/apps/status/get_cli_status.py,sha256=1UAVyKPpYk2S8nQYshKD1x5xgWR-hCTchLChxNU0JVA,2577
 cycode/cli/apps/status/models.py,sha256=2SBpJlh_MNCPxv8aXMV5D4GfK6-G-XB0GlMFZ3Nep_o,1907
@@ -189,13 +189,13 @@ cycode/cyclient/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 cycode/cyclient/ai_security_manager_client.py,sha256=aZKsq2yB7ZiptMGj0RBTuPYyjYiJ5FTjNTi5_i37t4Q,4282
 cycode/cyclient/ai_security_manager_service_config.py,sha256=83pQzgOb93JW6E-dznJkI4c0NEXmQRlx9YZKMmjVwp8,808
 cycode/cyclient/auth_client.py,sha256=TwbmZ358Ancf-Q-IZolvfljZ8691_6botsqd0R0PLPk,2105
-cycode/cyclient/base_token_auth_client.py,sha256=3JIrSz0-ywVTIfxIs2zs5aGcE-x5GW3AgPHm9qA4ZDE,3857
+cycode/cyclient/base_token_auth_client.py,sha256=mn5580d7A8Z2_zcdFKIJk78ADK7mViwTcV-4QCpRCGo,4369
 cycode/cyclient/cli_activation_client.py,sha256=QaATFVABf0vQ6cTU_dCN9UT6fUkJf5qciaK8W7gQDrc,419
 cycode/cyclient/client_creator.py,sha256=-bsOT7M28yx-WT1UhSzENY8N9EgoQIv48Smrr9izQTI,2849
 cycode/cyclient/config.py,sha256=Le3YYp7LyclTwS4vonuFipfRA1qhyC28_muUtxpnImc,1387
 cycode/cyclient/config_dev.py,sha256=GJ3w8Q-ow5SvXGBFA34eaeoI6GhitavAGy3UfcUh9OU,120
 cycode/cyclient/cycode_client.py,sha256=ifZMA4RlFw4QNHku5ZxmtUKglH2yd1479yYZGDtxVvw,257
-cycode/cyclient/cycode_client_base.py,sha256=N9awOsu0nP7yuRbYwFNbkhR99L2Z84k7sC-wiFaC8Pw,10018
+cycode/cyclient/cycode_client_base.py,sha256=_53DmKG_RAEY9INP_27s9FPa4_StQI5IgWt1Pl_Coq8,10193
 cycode/cyclient/cycode_dev_based_client.py,sha256=8LxeUWizXzZ0ilpwb6Q0W4ZMLZyZdKPzgpl5xcRmT8c,664
 cycode/cyclient/cycode_oidc_based_client.py,sha256=AVKBlqFOLYUQVxyPquvFwqnYpD6xgU_R6GJiQCWEdJw,857
 cycode/cyclient/cycode_token_based_client.py,sha256=frbrv1jzF388SXqHNNkZ95Hbx7Vjd3UXwWnq7nVxYN8,848
@@ -207,8 +207,8 @@ cycode/cyclient/report_client.py,sha256=Scq30NeJPzgXv0hPLO1U05AdE9i_2iu6cIrSKpEJ
 cycode/cyclient/scan_client.py,sha256=6TK5FQkfrvV7PHqRnUzEn1PBNd2oPYVamvIixcUfe3c,16755
 cycode/cyclient/scan_config_base.py,sha256=mXsPZGYCtp85rv5GIige40yQZXuRcEKUW-VQJ0vgFzk,1201
 cycode/logger.py,sha256=EfZGRK6VC5rE_LAjIcRrHFiQCueylCDXoG6bvGkrIME,2111
-cycode-3.16.1.dev7.dist-info/METADATA,sha256=Y43jx9fdiLPcKksSYbryGOKCx5bTtFWzTYbmb5Qn5HI,89245
-cycode-3.16.1.dev7.dist-info/WHEEL,sha256=zp0Cn7JsFoX2ATtOhtaFYIiE2rmFAD4OcMhtUki8W3U,88
-cycode-3.16.1.dev7.dist-info/entry_points.txt,sha256=iDcVJM8ByLElVgvBgtYxDjw1kT7O8Mo0LcWZIT5L3Ig,45
-cycode-3.16.1.dev7.dist-info/licenses/LICENCE,sha256=2Wx4N6mD_4xB7-E3hPkZ3MPhpJy__k_I8MaCSO-PDRo,1068
-cycode-3.16.1.dev7.dist-info/RECORD,,
+cycode-3.16.1.dev8.dist-info/METADATA,sha256=KBETRmc3w4f-wgb_zt3RtCIhHKLI5aa_Vz_axKwCFK4,89245
+cycode-3.16.1.dev8.dist-info/WHEEL,sha256=zp0Cn7JsFoX2ATtOhtaFYIiE2rmFAD4OcMhtUki8W3U,88
+cycode-3.16.1.dev8.dist-info/entry_points.txt,sha256=iDcVJM8ByLElVgvBgtYxDjw1kT7O8Mo0LcWZIT5L3Ig,45
+cycode-3.16.1.dev8.dist-info/licenses/LICENCE,sha256=2Wx4N6mD_4xB7-E3hPkZ3MPhpJy__k_I8MaCSO-PDRo,1068
+cycode-3.16.1.dev8.dist-info/RECORD,,