cycode 3.16.1.dev7__py3-none-any.whl → 3.16.2__py3-none-any.whl

cycode/__init__.py

@@ -1 +1,8 @@
-__version__ = '3.16.1.dev7'  # DON'T TOUCH. Placeholder. Will be filled automatically on poetry build from Git Tag
+import time as _time
+
+# Unix-epoch wall clock captured at the earliest possible moment of CLI
+# startup. Sent as `scan_parameters.cli_start_time` so the server can compute
+# end-to-end scan duration from the moment the user actually triggered it.
+_BOOT_WALL: float = _time.time()
+
+__version__ = '3.16.2'  # DON'T TOUCH. Placeholder. Will be filled automatically on poetry build from Git Tag

cycode/cli/app.py

@@ -1,3 +1,4 @@
+import importlib
 import logging
 import sys
 from typing import Annotated, Optional
@@ -10,12 +11,7 @@ from typer._completion_shared import Shells
 from typer.completion import install_callback, show_callback
 
 from cycode import __version__
-from cycode.cli.apps import ai_guardrails, ai_remediation, auth, configure, ignore, report, report_import, scan, status
 from cycode.cli.apps.api import get_platform_group
-
-if sys.version_info >= (3, 10):
-    from cycode.cli.apps import mcp
-
 from cycode.cli.cli_types import OutputTypeOption
 from cycode.cli.consts import CLI_CONTEXT_SETTINGS
 from cycode.cli.printers import ConsolePrinter
@@ -46,17 +42,88 @@ app = typer.Typer(
     add_completion=False,  # we add it manually to control the rich help panel
 )
 
-app.add_typer(ai_guardrails.app)
-app.add_typer(ai_remediation.app)
-app.add_typer(auth.app)
-app.add_typer(configure.app)
-app.add_typer(ignore.app)
-app.add_typer(report.app)
-app.add_typer(report_import.app)
-app.add_typer(scan.app)
-app.add_typer(status.app)
+# Top-level subcommand → module providing its Typer app. Peeking at sys.argv
+# lets us import only the invoked subapp on the hot path (e.g.
+# `cycode ai-guardrails scan`), skipping ~300ms of unrelated imports.
+_SUBAPP_MODULES: dict[str, str] = {
+    'ai-guardrails': 'cycode.cli.apps.ai_guardrails',
+    'ai-remediation': 'cycode.cli.apps.ai_remediation',
+    'auth': 'cycode.cli.apps.auth',
+    'configure': 'cycode.cli.apps.configure',
+    'ignore': 'cycode.cli.apps.ignore',
+    'report': 'cycode.cli.apps.report',
+    'import': 'cycode.cli.apps.report_import',
+    'scan': 'cycode.cli.apps.scan',
+    'status': 'cycode.cli.apps.status',
+}
 if sys.version_info >= (3, 10):
-    app.add_typer(mcp.app)
+    _SUBAPP_MODULES['mcp'] = 'cycode.cli.apps.mcp'
+
+# Aliases: alternate spellings that resolve to a primary subcommand key.
+_SUBAPP_ALIASES: dict[str, str] = {
+    'ai_remediation': 'ai-remediation',  # backward-compat underscore form
+    'version': 'status',
+}
+
+# Root-level options that consume a following value; argv-peek must skip past
+# both the option and its value when scanning for the first positional arg.
+_ROOT_OPTS_WITH_VALUE = frozenset(
+    {
+        '--output',
+        '-o',
+        '--user-agent',
+        '--client-secret',
+        '--client-id',
+        '--id-token',
+        '--show-completion',
+    }
+)
+
+
+def _detect_invocation() -> tuple[Optional[str], Optional[str]]:
+    """Return (top-level-subapp, second-level-subcommand) parsed from sys.argv.
+
+    Both values may be None: when no positional arg matches a known subapp,
+    or when the user only provided a top-level subcommand.
+    """
+    positionals = []
+    args = sys.argv[1:]
+    i = 0
+    while i < len(args):
+        arg = args[i]
+        if arg in _ROOT_OPTS_WITH_VALUE:
+            i += 2
+        elif arg.startswith('-'):
+            # Any flag form: short, long, --key=value, or '--' marker. Skip the token only.
+            i += 1
+        else:
+            positionals.append(arg)
+            if len(positionals) >= 2:
+                break
+            i += 1
+    subapp = positionals[0] if positionals else None
+    subapp = _SUBAPP_ALIASES.get(subapp, subapp)
+    if subapp not in _SUBAPP_MODULES:
+        return None, None
+    subcommand = positionals[1] if len(positionals) >= 2 else None
+    return subapp, subcommand
+
+
+# Computed once at import; reused by lazy registration and the version-checker skip.
+_INVOKED_SUBAPP, _INVOKED_SUBCOMMAND = _detect_invocation()
+
+
+def _register_subapps(only: Optional[str]) -> None:
+    if only is not None:
+        app.add_typer(importlib.import_module(_SUBAPP_MODULES[only]).app)
+        return
+    # Cold path (--help, completion, unknown subcommand): load all modules so
+    # root help lists everything. Deduplicate since aliases share modules.
+    for module_path in dict.fromkeys(_SUBAPP_MODULES.values()):
+        app.add_typer(importlib.import_module(module_path).app)
+
+
+_register_subapps(_INVOKED_SUBAPP)
 
 # Register the `platform` command group (dynamically built from the OpenAPI spec).
 # The group itself is constructed cheaply at import time; the spec is only fetched
@@ -81,6 +148,12 @@ typer.main.get_group = _get_group_with_platform
 
 
 def check_latest_version_on_close(ctx: typer.Context) -> None:
+    # Skip on `cycode ai-guardrails scan` — it emits JSON to stdout, so an
+    # upgrade notice would corrupt the response. Human-driven sibling commands
+    # (install, uninstall, status, session-start) still get the notice.
+    if (_INVOKED_SUBAPP, _INVOKED_SUBCOMMAND) == ('ai-guardrails', 'scan'):
+        return
+
     output = ctx.obj.get('output')
     # don't print anything if the output is JSON
     if output == OutputTypeOption.JSON:

cycode/cli/apps/ai_guardrails/ides/_plugin_utils.py

@@ -26,13 +26,26 @@ def load_plugin_json(path: Path) -> Optional[dict]:
         return None
 
 
+def build_global_config_file(path: Path, mcp_servers: Optional[dict]) -> Optional[dict]:
+    """Wrap a global (non-plugin) MCP config into the session-context file shape.
+
+    Returns ``{"path": <full path>, "content": <{"mcpServers": ...} JSON>}`` when
+    there are servers, else ``None``. ``content`` is normalized to the canonical
+    ``{"mcpServers": {...}}`` shape, dropping everything else in the source file.
+    """
+    servers = mcp_servers or {}
+    if not servers:
+        return None
+    return {'path': str(path), 'content': json.dumps({'mcpServers': servers})}
+
+
 def walk_enabled_plugins(
     plugin_entries: dict[str, Any],
     is_enabled: Callable[[Any], bool],
     locate_dir: Callable[[str, str], Optional[Path]],
     read_plugin: Callable[[Path], tuple[dict, dict]],
-) -> tuple[dict, dict]:
-    """Iterate enabled plugins; merge their MCP servers and metadata.
+) -> dict:
+    """Iterate enabled plugins and build their inventory metadata.
 
     Args:
         plugin_entries: ``{<plugin>@<marketplace>: settings}`` map from the IDE config.
@@ -42,13 +55,13 @@ def walk_enabled_plugins(
             filesystem path or None if it can't be resolved.
         read_plugin: given the plugin path, returns ``(entry_fields, servers)``:
             ``entry_fields`` are extra metadata to attach to the inventory entry
-            (name/version/description/...), ``servers`` are MCP servers contributed.
+            (name/version/description/...); ``servers`` are the plugin's MCP
+            servers, which ``read_plugin`` uses to derive that metadata.
 
-    Returns ``(merged_mcp_servers, enriched_plugins)``. Plugin keys without
-    ``@`` (or that fail to resolve to a directory) still appear in the
-    inventory with just ``{'enabled': True}`` so we don't silently drop them.
+    Returns ``enriched_plugins``. Plugin keys without ``@`` (or that fail to
+    resolve to a directory) still appear in the inventory with just
+    ``{'enabled': True}`` so we don't silently drop them.
     """
-    merged_mcp: dict = {}
     enriched: dict = {}
 
     for plugin_key, settings in plugin_entries.items():
@@ -66,8 +79,7 @@ def walk_enabled_plugins(
         if plugin_dir is None:
             continue
 
-        plugin_fields, servers = read_plugin(plugin_dir)
+        plugin_fields, _ = read_plugin(plugin_dir)
         entry.update(plugin_fields)
-        merged_mcp.update(servers)
 
-    return merged_mcp, enriched
+    return enriched

cycode/cli/apps/ai_guardrails/ides/base.py

@@ -167,10 +167,16 @@ class IDE(ABC):
         """
         return None
 
-    def get_session_context(self) -> tuple[dict, dict]:
-        """Return ``(mcp_servers, enabled_plugins)`` for session-context reporting.
+    def get_session_context(self) -> tuple[Optional[dict], dict]:
+        """Return ``(global_config_file, enabled_plugins)`` for session-context reporting.
 
-        Default: empty dicts (no plugin system, no discoverable MCP config).
+        ``global_config_file`` is the IDE's global (non-plugin) MCP config as
+        ``{"path": <full path>, "content": <normalized {"mcpServers": ...} JSON>}``,
+        or ``None`` when there is no global MCP config. ``enabled_plugins`` maps each
+        enabled plugin key to its metadata (including its own ``mcp_config_file``
+        content and ``mcp_config_file_path``).
+
+        Default: ``(None, {})`` (no plugin system, no discoverable MCP config).
         Override to surface MCP/plugin inventory.
         """
-        return {}, {}
+        return None, {}

cycode/cli/apps/ai_guardrails/ides/claude_code.py

@@ -7,7 +7,11 @@ from pathlib import Path
 from typing import ClassVar, Optional
 
 from cycode.cli.apps.ai_guardrails.consts import CYCODE_SCAN_PROMPT_COMMAND, CYCODE_SESSION_START_COMMAND
-from cycode.cli.apps.ai_guardrails.ides._plugin_utils import load_plugin_json, walk_enabled_plugins
+from cycode.cli.apps.ai_guardrails.ides._plugin_utils import (
+    build_global_config_file,
+    load_plugin_json,
+    walk_enabled_plugins,
+)
 from cycode.cli.apps.ai_guardrails.ides.base import IDE, DecisionAction, HookDecision
 from cycode.cli.apps.ai_guardrails.scan.payload import AIHookPayload
 from cycode.cli.apps.ai_guardrails.scan.types import AiHookEventType
@@ -184,14 +188,17 @@ def _read_claude_plugin(plugin_dir: Path) -> tuple[dict, dict]:
         if field in manifest:
             entry[field] = manifest[field]
 
-    mcp_config = load_plugin_json(plugin_dir / '.mcp.json') or {}
+    mcp_config_path = plugin_dir / '.mcp.json'
+    mcp_config = load_plugin_json(mcp_config_path) or {}
     servers: dict = mcp_config.get('mcpServers') or {}
     if servers:
         entry['mcp_server_names'] = list(servers.keys())
+        entry['mcp_config_file_path'] = str(mcp_config_path)
+        entry['mcp_config_file'] = json.dumps(mcp_config)
     return entry, servers
 
 
-def resolve_plugins(settings: dict) -> tuple[dict, dict]:
+def resolve_plugins(settings: dict) -> dict:
     """Walk Claude Code's ``enabledPlugins`` via the shared plugin walker.
 
     Each enabled plugin's marketplace is resolved through
@@ -354,15 +361,11 @@ class ClaudeCode(IDE):
         config = load_claude_config()
         return _email_from_config(config) if config else None
 
-    def get_session_context(self) -> tuple[dict, dict]:
+    def get_session_context(self) -> tuple[Optional[dict], dict]:
         config = load_claude_config()
-        mcp_servers: dict = dict(get_mcp_servers(config) or {}) if config else {}
+        global_config_file = build_global_config_file(_CLAUDE_CONFIG_PATH, get_mcp_servers(config)) if config else None
 
         settings = load_claude_settings()
-        if settings:
-            plugin_mcp, enriched_plugins = resolve_plugins(settings)
-            mcp_servers.update(plugin_mcp)
-        else:
-            enriched_plugins = {}
+        enriched_plugins = resolve_plugins(settings) if settings else {}
 
-        return mcp_servers, enriched_plugins
+        return global_config_file, enriched_plugins

cycode/cli/apps/ai_guardrails/ides/codex.py

@@ -14,7 +14,11 @@ else:  # pragma: no cover - py<3.11 fallback
     import tomli as tomllib
 
 from cycode.cli.apps.ai_guardrails.consts import CYCODE_SCAN_PROMPT_COMMAND, CYCODE_SESSION_START_COMMAND
-from cycode.cli.apps.ai_guardrails.ides._plugin_utils import load_plugin_json, walk_enabled_plugins
+from cycode.cli.apps.ai_guardrails.ides._plugin_utils import (
+    build_global_config_file,
+    load_plugin_json,
+    walk_enabled_plugins,
+)
 from cycode.cli.apps.ai_guardrails.ides.base import IDE, DecisionAction, HookDecision
 from cycode.cli.apps.ai_guardrails.scan.payload import AIHookPayload
 from cycode.cli.apps.ai_guardrails.scan.types import AiHookEventType
@@ -129,16 +133,19 @@ def _read_codex_plugin(plugin_dir: Path) -> tuple[dict, dict]:
     mcp_ref = manifest.get('mcpServers')
     if not mcp_ref:
         return entry, {}
-    mcp_doc = load_plugin_json(plugin_dir / mcp_ref) or {}
+    mcp_config_path = plugin_dir / mcp_ref
+    mcp_doc = load_plugin_json(mcp_config_path) or {}
     servers = mcp_doc.get('mcpServers', mcp_doc)
     if not isinstance(servers, dict):
         servers = {}
     if servers:
         entry['mcp_server_names'] = list(servers.keys())
+        entry['mcp_config_file_path'] = str(mcp_config_path)
+        entry['mcp_config_file'] = json.dumps(mcp_doc)
     return entry, servers
 
 
-def _resolve_codex_plugins(config: dict) -> tuple[dict, dict]:
+def _resolve_codex_plugins(config: dict) -> dict:
     """Walk enabled ``[plugins."<plugin>@<marketplace>"]`` entries."""
     return walk_enabled_plugins(
         plugin_entries=config.get('plugins') or {},
@@ -297,13 +304,14 @@ class Codex(IDE):
     def get_user_email(self) -> Optional[str]:
         return _email_from_auth()
 
-    def get_session_context(self) -> tuple[dict, dict]:
+    def get_session_context(self) -> tuple[Optional[dict], dict]:
         config = _load_codex_config()
         if not config:
-            return {}, {}
-        # Codex stores MCP servers under `[mcp_servers.<name>]`. Plugin-contributed
-        # servers (via `[plugins."<plugin>@<marketplace>"]`) merge on top.
-        mcp_servers: dict = dict(config.get('mcp_servers') or {})
-        plugin_mcp, enriched_plugins = _resolve_codex_plugins(config)
-        mcp_servers.update(plugin_mcp)
-        return mcp_servers, enriched_plugins
+            return None, {}
+        # Codex stores MCP servers under `[mcp_servers.<name>]`; the global config
+        # file becomes its own session-context file. Plugins (via
+        # `[plugins."<plugin>@<marketplace>"]`) carry their own config files.
+        config_path = _codex_config_toml_path('user')
+        global_config_file = build_global_config_file(config_path, config.get('mcp_servers'))
+        enriched_plugins = _resolve_codex_plugins(config)
+        return global_config_file, enriched_plugins

cycode/cli/apps/ai_guardrails/ides/cursor.py

@@ -6,6 +6,7 @@ from pathlib import Path
 from typing import ClassVar, Optional
 
 from cycode.cli.apps.ai_guardrails.consts import CYCODE_SCAN_PROMPT_COMMAND, CYCODE_SESSION_START_COMMAND
+from cycode.cli.apps.ai_guardrails.ides._plugin_utils import build_global_config_file
 from cycode.cli.apps.ai_guardrails.ides.base import IDE, DecisionAction, HookDecision
 from cycode.cli.apps.ai_guardrails.scan.payload import AIHookPayload
 from cycode.cli.apps.ai_guardrails.scan.types import AiHookEventType
@@ -39,9 +40,14 @@ def _user_hooks_dir() -> Path:
     return Path.home() / '.config' / 'Cursor'
 
 
+def _cursor_mcp_config_path() -> Path:
+    """User-scope Cursor MCP config path (``~/.cursor/mcp.json``, all platforms)."""
+    return Path.home() / '.cursor' / _MCP_CONFIG_FILENAME
+
+
 def _load_cursor_mcp_config(config_path: Optional[Path] = None) -> Optional[dict]:
     """Load and parse `~/.cursor/mcp.json`. Returns None if missing/invalid."""
-    path = config_path or (Path.home() / '.cursor' / _MCP_CONFIG_FILENAME)
+    path = config_path or _cursor_mcp_config_path()
     if not path.exists():
         logger.debug('Cursor MCP config file not found, %s', {'path': str(path)})
         return None
@@ -113,7 +119,10 @@ class Cursor(IDE):
             ide_version=raw_payload.get('cursor_version'),
         )
 
-    def get_session_context(self) -> tuple[dict, dict]:
+    def get_session_context(self) -> tuple[Optional[dict], dict]:
         config = _load_cursor_mcp_config()
-        mcp_servers = dict((config or {}).get('mcpServers') or {}) if config else {}
-        return mcp_servers, {}
+        if not config:
+            return None, {}
+        config_path = _cursor_mcp_config_path()
+        global_config_file = build_global_config_file(config_path, config.get('mcpServers'))
+        return global_config_file, {}

cycode/cli/apps/ai_guardrails/session_start_command.py

@@ -1,5 +1,8 @@
 """Handle AI guardrails session start: auth, conversation creation, session context."""
 
+import os
+import platform
+import socket
 import sys
 from typing import TYPE_CHECKING, Annotated, Optional
 
@@ -20,14 +23,25 @@ if TYPE_CHECKING:
 logger = get_logger('AI Guardrails')
 
 
+def _get_logged_in_user() -> Optional[str]:
+    """Best-effort OS account name (whoami). None if it can't be resolved."""
+    try:
+        return os.getlogin()
+    except Exception:
+        return None
+
+
 def _report_session_context(ai_client: 'AISecurityManagerClient', ide: IDE, user_email: Optional[str]) -> None:
     """Report IDE session context to the AI security manager. Never raises."""
     try:
-        mcp_servers, enabled_plugins = ide.get_session_context()
-        if not mcp_servers and not enabled_plugins:
+        global_config_file, enabled_plugins = ide.get_session_context()
+        if not global_config_file and not enabled_plugins:
             return
         ai_client.report_session_context(
-            mcp_servers=mcp_servers,
+            hostname=socket.gethostname(),
+            platform=platform.system(),
+            logged_in_user=_get_logged_in_user(),
+            global_config_file=global_config_file,
             enabled_plugins=enabled_plugins,
             user_email=user_email,
         )

cycode/cli/apps/scan/code_scanner.py

@@ -204,18 +204,21 @@ def _get_scan_documents_thread_func(
                 'zip_file_size': zip_file_size,
             },
         )
-        report_scan_status(
-            cycode_client,
-            scan_type,
-            scan_id,
-            scan_completed,
-            relevant_detections_count,
-            detections_count,
-            len(batch),
-            zip_file_size,
-            command_scan_type,
-            error_message,
-        )
+        # Sync flows already received the full result inline; only async flows
+        # need a separate status report to signal polling completion.
+        if not should_use_sync_flow:
+            report_scan_status(
+                cycode_client,
+                scan_type,
+                scan_id,
+                scan_completed,
+                relevant_detections_count,
+                detections_count,
+                len(batch),
+                zip_file_size,
+                command_scan_type,
+                error_message,
+            )
 
         return scan_id, error, local_scan_result
 

cycode/cli/apps/scan/scan_parameters.py

@@ -2,6 +2,7 @@ from typing import Optional
 
 import typer
 
+from cycode import _BOOT_WALL
 from cycode.cli.apps.scan.remote_url_resolver import get_remote_url_scan_parameter
 from cycode.cli.utils.scan_utils import generate_unique_scan_id
 from cycode.logger import get_logger
@@ -17,6 +18,7 @@ def _get_default_scan_parameters(ctx: typer.Context) -> dict:
         'license_compliance': ctx.obj.get('license-compliance'),
         'command_type': ctx.info_name.replace('-', '_'),  # save backward compatibility
         'aggregation_id': str(generate_unique_scan_id()),
+        'cli_start_time': _BOOT_WALL,
     }
 
 

cycode/cli/apps/scan/scan_result.py

@@ -189,6 +189,10 @@ def enrich_scan_result_with_data_from_detection_rules(
         for detection in detections_per_file.detections:
             detection_rule_ids.add(detection.detection_rule_id)
 
+    if not detection_rule_ids:
+        logger.debug('No detections to enrich, skipping detection_rules fetch')
+        return
+
     detection_rules = cycode_client.get_detection_rules(detection_rule_ids)
     detection_rules_by_id = {detection_rule.detection_rule_id: detection_rule for detection_rule in detection_rules}
 

cycode/cli/consts.py

@@ -53,6 +53,30 @@ SECRET_SCAN_FILE_EXTENSIONS_TO_IGNORE = (
     '.iso',
 )
 
+# Fallback block-list used for SAST only when the server does not return scannable extensions
+# (e.g. when the customer has custom rules, any text file is scannable). These are non-source
+# data formats that can slip past binary detection (the EICAR test file and ClamAV signature
+# databases are plain ASCII) and may be quarantined by object-storage antivirus after upload.
+SAST_SCAN_FILE_EXTENSIONS_TO_IGNORE = (
+    '.bin',
+    '.cvd',
+    '.cld',
+    '.cud',
+    '.hdb',
+    '.hsb',
+    '.mdb',
+    '.msb',
+    '.ndb',
+    '.ndu',
+    '.ldb',
+    '.ldu',
+    '.idb',
+    '.fp',
+    '.sfp',
+    '.ign',
+    '.ign2',
+)
+
 SCA_CONFIGURATION_SCAN_SUPPORTED_FILES = (  # keep in lowercase
     'cargo.lock',
     'cargo.toml',

cycode/cli/files_collector/file_excluder.py

@@ -63,7 +63,10 @@ class Excluder:
         }
         self._non_scannable_extensions: dict[str, tuple[str, ...]] = {
             consts.SECRET_SCAN_TYPE: consts.SECRET_SCAN_FILE_EXTENSIONS_TO_IGNORE,
+            consts.SAST_SCAN_TYPE: consts.SAST_SCAN_FILE_EXTENSIONS_TO_IGNORE,
         }
+        # Tracks scan types for which the SAST fallback log has already been emitted (log once, not per file)
+        self._logged_sast_fallback = False
 
     def apply_scan_config(self, scan_type: str, scan_config: 'models.ScanConfiguration') -> None:
         if scan_config.scannable_extensions:
@@ -86,6 +89,11 @@ class Excluder:
 
         non_scannable_extensions = self._non_scannable_extensions.get(scan_type)
         if non_scannable_extensions:
+            # For SAST, reaching the block-list means the server returned no scannable extensions
+            # (e.g. custom rules, or no remote config). Log once so this is diagnosable.
+            if scan_type == consts.SAST_SCAN_TYPE and not self._logged_sast_fallback:
+                self._logged_sast_fallback = True
+                logger.debug('No scannable extensions provided for SAST; falling back to the built-in ignore list')
             return not filename.endswith(non_scannable_extensions)
 
         return True

cycode/cyclient/ai_security_manager_client.py

@@ -93,15 +93,21 @@ class AISecurityManagerClient:
 
     def report_session_context(
         self,
-        mcp_servers: Optional[dict] = None,
+        hostname: Optional[str] = None,
+        platform: Optional[str] = None,
+        logged_in_user: Optional[str] = None,
+        global_config_file: Optional[dict] = None,
         enabled_plugins: Optional[dict] = None,
         user_email: Optional[str] = None,
     ) -> None:
         """Report session context to the backend."""
         body: dict = {
-            'mcp_servers': mcp_servers,
-            'enabled_plugins': enabled_plugins,
+            'hostname': hostname,
+            'platform': platform,
+            'logged_in_user': logged_in_user,
             'user_email': user_email,
+            'global_config_file': global_config_file,
+            'enabled_plugins': enabled_plugins,
         }
 
         try:

cycode/cyclient/base_token_auth_client.py

@@ -24,19 +24,10 @@ class BaseTokenAuthClient(CycodeClient, ABC):
         self.client_id = client_id
 
         self._credentials_manager = CredentialsManager()
-        # load cached access token
-        access_token, expires_in, creator = self._credentials_manager.get_access_token()
-
-        self._access_token = self._expires_in = None
-        expected_creator = self._create_jwt_creator()
-        if creator == expected_creator:
-            # we must be sure that cached access token is created using the same client id and client secret.
-            # because client id and client secret could be passed via command, via env vars or via config file.
-            # we must not use cached access token if client id or client secret was changed.
-            self._access_token = access_token
-            self._expires_in = arrow.get(expires_in) if expires_in else None
-
+        self._access_token = None
+        self._expires_in = None
         self._lock = Lock()
+        self._load_token_from_disk()
 
     def get_access_token(self) -> str:
         with self._lock:
@@ -51,8 +42,30 @@ class BaseTokenAuthClient(CycodeClient, ABC):
             self._credentials_manager.update_access_token(None, None, None)
 
     def refresh_access_token_if_needed(self) -> None:
-        if self._access_token is None or self._expires_in is None or arrow.utcnow() >= self._expires_in:
-            self.refresh_access_token()
+        if self._has_valid_token():
+            return
+        # Re-check disk before doing the network refresh: another client instance
+        # in this process may have already refreshed and persisted a fresh token.
+        self._load_token_from_disk()
+        if self._has_valid_token():
+            return
+        self.refresh_access_token()
+
+    def _has_valid_token(self) -> bool:
+        return self._access_token is not None and self._expires_in is not None and arrow.utcnow() < self._expires_in
+
+    def _load_token_from_disk(self) -> None:
+        access_token, expires_in, creator = self._credentials_manager.get_access_token()
+        expected_creator = self._create_jwt_creator()
+        # We must be sure that cached access token is created using the same client id and client secret.
+        # Because client id and client secret could be passed via command, via env vars or via config file.
+        # We must not use cached access token if client id or client secret was changed.
+        if creator == expected_creator and access_token:
+            self._access_token = access_token
+            self._expires_in = arrow.get(expires_in) if expires_in else None
+        else:
+            self._access_token = None
+            self._expires_in = None
 
     def refresh_access_token(self) -> None:
         auth_response = self._request_new_access_token()

cycode/cyclient/cycode_client_base.py

@@ -1,3 +1,4 @@
+import functools
 import os
 import platform
 import ssl
@@ -39,16 +40,29 @@ class SystemStorageSslContext(HTTPAdapter):
         conn.ca_certs = None
 
 
+@functools.cache
+def _get_session() -> requests.Session:
+    """Process-wide Session so TCP+TLS connections are reused across all API calls."""
+    session = requests.Session()
+    # On Windows without an explicit CA bundle env var, fall back to the system
+    # trust store via a custom SSL context.
+    if platform.system() == 'Windows' and not (
+        os.environ.get('REQUESTS_CA_BUNDLE') or os.environ.get('CURL_CA_BUNDLE')
+    ):
+        session.mount('https://', SystemStorageSslContext())
+    return session
+
+
 def _get_request_function() -> Callable:
-    if os.environ.get('REQUESTS_CA_BUNDLE') or os.environ.get('CURL_CA_BUNDLE'):
-        return requests.request
+    return _get_session().request
 
-    if platform.system() != 'Windows':
-        return requests.request
 
-    session = requests.Session()
-    session.mount('https://', SystemStorageSslContext())
-    return session.request
+def _log_response(response: Response, url: str, hide_response_content_log: bool) -> None:
+    content = 'HIDDEN' if hide_response_content_log else response.text
+    logger.debug(
+        'Receiving response, %s',
+        {'status_code': response.status_code, 'url': url, 'content': content},
+    )
 
 
 _REQUEST_ERRORS_TO_RETRY = (
@@ -182,12 +196,7 @@ class CycodeClientBase:
             response = _get_request_function()(
                 method='post', url=url, data=tracker, headers=headers, timeout=self.timeout
             )
-
-            content = 'HIDDEN' if hide_response_content_log else response.text
-            logger.debug(
-                'Receiving response, %s',
-                {'status_code': response.status_code, 'url': url, 'content': content},
-            )
+            _log_response(response, url, hide_response_content_log)
 
             response.raise_for_status()
             return response
@@ -231,14 +240,8 @@ class CycodeClientBase:
 
         try:
             headers = self.get_request_headers(headers, without_auth=without_auth)
-            request = _get_request_function()
-            response = request(method=method, url=url, timeout=timeout, headers=headers, **kwargs)
-
-            content = 'HIDDEN' if hide_response_content_log else response.text
-            logger.debug(
-                'Receiving response, %s',
-                {'status_code': response.status_code, 'url': url, 'content': content},
-            )
+            response = _get_request_function()(method=method, url=url, timeout=timeout, headers=headers, **kwargs)
+            _log_response(response, url, hide_response_content_log)
 
             response.raise_for_status()
             return response

{cycode-3.16.1.dev7.dist-info → cycode-3.16.2.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: cycode
-Version: 3.16.1.dev7
+Version: 3.16.2
 Summary: Boost security in your dev lifecycle via SAST, SCA, Secrets & IaC scanning.
 License-Expression: MIT
 License-File: LICENCE

{cycode-3.16.1.dev7.dist-info → cycode-3.16.2.dist-info}/RECORD

@@ -1,7 +1,7 @@
-cycode/__init__.py,sha256=5B0uQpQ89sImWJL007hvzWjchwgJBFIKiQtxtmYyQ6Y,115
+cycode/__init__.py,sha256=TSHmzZsQlKEA-YAkhDK_FSH49HSJxp-E02fYuRoDKPc,391
 cycode/__main__.py,sha256=Z3bD5yrA7yPvAChcADQrqCaZd0ChGI1gdiwALwbWJ6U,104
 cycode/cli/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-cycode/cli/app.py,sha256=7ReEcVkRX9IaQ2I7jAj7Sl9smbtvxiuK8-9bitMEQik,7491
+cycode/cli/app.py,sha256=AlR2durAEbsa47PDfIj7JtMvJDWA_Dq6wPtVuMJYSCs,10250
 cycode/cli/apps/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 cycode/cli/apps/activation_manager.py,sha256=Hz9PDJFB-ZmYi4HSG8iYC-fR8j5v25VuUU-l95Otsdk,1678
 cycode/cli/apps/ai_guardrails/__init__.py,sha256=NsqB1Ca83BIjJMcDSt6suec6Ed0iNnacC0gBqkuuTtI,1367
@@ -9,11 +9,11 @@ cycode/cli/apps/ai_guardrails/command_utils.py,sha256=NVwd0-2RGRKIqhsQ-4LNDR1D0g
 cycode/cli/apps/ai_guardrails/consts.py,sha256=Js2QtSNYG9Kt0eo3vepRd5TFciCeJHEC9NN18zqKvlE,620
 cycode/cli/apps/ai_guardrails/hooks_manager.py,sha256=c8okVel9KjeXWm5QTnvTraWsTwzrUTqqKd6C80C34Y4,9003
 cycode/cli/apps/ai_guardrails/ides/__init__.py,sha256=JMXbQlq-7q1429w3nQq9Z4FZ8K0zdiUK6zCbilmD3JU,1689
-cycode/cli/apps/ai_guardrails/ides/_plugin_utils.py,sha256=_wJfdUHeCJGHQIOdoXQLuMJ4YGaOq_aLjY0ZUyzpsxU,2747
-cycode/cli/apps/ai_guardrails/ides/base.py,sha256=tFWjkuTKBn-4IZUFXHThwKctB6CWOxnG9q9Yr9fscJA,6594
-cycode/cli/apps/ai_guardrails/ides/claude_code.py,sha256=29O6Mp2NkJ89bQ6Wu_vQ9YlfUnMqpasSGwigAAzhzyM,13500
-cycode/cli/apps/ai_guardrails/ides/codex.py,sha256=-YkJs0PwGSP1ExJKPlgiZeQmWaQ1LL4wOkLG86iMLBU,11887
-cycode/cli/apps/ai_guardrails/ides/cursor.py,sha256=_u-DS4Pdvu_UiNh-W5i2ViHPV0IDlDvFrpRnisL3ks8,5235
+cycode/cli/apps/ai_guardrails/ides/_plugin_utils.py,sha256=sBiLZWAKL8M7fTSDLR09aPk7_2w7NJfN10tydwVszmA,3273
+cycode/cli/apps/ai_guardrails/ides/base.py,sha256=siFgELUNn1YBXY-jbx3yvhCbbqMXZQG1mFlxTAnwqS8,6995
+cycode/cli/apps/ai_guardrails/ides/claude_code.py,sha256=KkTpX285ofwAD8olOcXwZXy9KBerlG3haS7QDrizD3o,13634
+cycode/cli/apps/ai_guardrails/ides/codex.py,sha256=n9aiFQ8vGJxZMxCViSz5K8t3GixxZhiIMeIBkbfjxmg,12189
+cycode/cli/apps/ai_guardrails/ides/cursor.py,sha256=wyHbh0QaSjC0EbwcWi-kZR4SN5lgkOLJ5S55EgSO2sw,5606
 cycode/cli/apps/ai_guardrails/install_command.py,sha256=vGZSIvHHVMS9_zhV_6lEhxqtmr5H6uykSq4AS5nxQYw,4278
 cycode/cli/apps/ai_guardrails/scan/__init__.py,sha256=qJc82XiQGiAuc1sYY8Ij_A-qXpxgLPuayQq8xWlouMA,48
 cycode/cli/apps/ai_guardrails/scan/consts.py,sha256=drAslw6vW3kxmbCs2qPCUbUPR7PJouT2lsXtu5sD-lQ,1094
@@ -23,7 +23,7 @@ cycode/cli/apps/ai_guardrails/scan/policy.py,sha256=39s8hnxgjny1l6XAO59wsRcAlpW-
 cycode/cli/apps/ai_guardrails/scan/scan_command.py,sha256=-Gl7cHELF1wlwLGno6ZVukFtK6NI6Z3-dTpIOsz8ors,6079
 cycode/cli/apps/ai_guardrails/scan/types.py,sha256=lDttkYFBfOkdMEEaRbq1IT2QTK0R-7Ht3T8vZdyB3b4,1038
 cycode/cli/apps/ai_guardrails/scan/utils.py,sha256=KVfX-NrcM-QW4quLtoNqfmz4GF0FlDs-TkqUOu1hAWM,2057
-cycode/cli/apps/ai_guardrails/session_start_command.py,sha256=z-yClXkV-SAxh5E8zKGIyo_qbhkpujoTgnx-lUDGS0I,3279
+cycode/cli/apps/ai_guardrails/session_start_command.py,sha256=WzFE_12sxDq2lrVmMN_G2q_d9pfbsEO3CvjJXBcbFI0,3684
 cycode/cli/apps/ai_guardrails/status_command.py,sha256=Uqss68TEPCYPXpLix6Bh-4J3g-khxWsAqlIGYH5x4bQ,3203
 cycode/cli/apps/ai_guardrails/uninstall_command.py,sha256=dOmePfZmlHAPy2zEJM1yMtSuDqvzDwtqgmLKYK-T9PI,2698
 cycode/cli/apps/ai_remediation/__init__.py,sha256=8vYthY9RQeJqEni3AIF5sryz8n-XJQ6VNqG4aEFBAdY,553
@@ -64,7 +64,7 @@ cycode/cli/apps/report_import/sbom/sbom_command.py,sha256=uWvBhVdROHcHsjoR3l44h3
 cycode/cli/apps/sca_options.py,sha256=-3iXoJV5qOkfjr-WGIWuAgaeNYeItJIbm2n6O2Kg5D8,1666
 cycode/cli/apps/scan/__init__.py,sha256=-q1AIBnrQ4GP0CVKFLr_2CdWf9TBQC90ejSL4I7rxuA,2444
 cycode/cli/apps/scan/aggregation_report.py,sha256=8f9kPfO7biNf5OsDZG6UhMPqG6ymoFrX5GBtlEIfFAg,1540
-cycode/cli/apps/scan/code_scanner.py,sha256=IoU3dAFSXa4o0W8FggTUrgEonI0OYqREuG34i0XBumI,16865
+cycode/cli/apps/scan/code_scanner.py,sha256=jjUzi2yueS0TrW4lo_vkkz1KMoBJfwjCCsKeSmoPW2A,17099
 cycode/cli/apps/scan/commit_history/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 cycode/cli/apps/scan/commit_history/commit_history_command.py,sha256=zTVmN8yeLXGAiCbyDL-EyEzSPNLzcRpP2q6Qq7p4uZA,1011
 cycode/cli/apps/scan/commit_range_scanner.py,sha256=axFs--Xcb3I7D_SJHtBNE810qyCsSzLqPn_rD_8Peb8,17172
@@ -84,8 +84,8 @@ cycode/cli/apps/scan/scan_ci/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NM
 cycode/cli/apps/scan/scan_ci/ci_integrations.py,sha256=3ZUv1uLsHC13KTNQ4erQKKDXAkmaSm5jow2Utwr4mCw,1634
 cycode/cli/apps/scan/scan_ci/scan_ci_command.py,sha256=37I6YTs5UWYtbnDe1EeYZnhV1twFTDUrniZ4Sf2_6Kk,562
 cycode/cli/apps/scan/scan_command.py,sha256=n3bzGjB5CSmLRfFn6-pLBhrlOCDTRz2Kfn2L_J1l0io,7916
-cycode/cli/apps/scan/scan_parameters.py,sha256=66Ft8c_L6_BxDvRgJoXP5ItUQfzSHGF_XJWBdQismrg,1341
-cycode/cli/apps/scan/scan_result.py,sha256=mIxALi_qUfXHoauSU7SknX0xLp8P9WdhV3oFc8jp_SA,8497
+cycode/cli/apps/scan/scan_parameters.py,sha256=x0UPwLQx85SW-pdPG6bNkChmnBXhWA8lnUCdY08urq8,1409
+cycode/cli/apps/scan/scan_result.py,sha256=hTPB2wnsbqSNqAxhWN4P7_ygDN_j5Mufs_shIb0FJU4,8624
 cycode/cli/apps/status/__init__.py,sha256=uxfkEBafO7Da0mPc1fZhwoO0RTtyXp2a5T3LJTZxubU,371
 cycode/cli/apps/status/get_cli_status.py,sha256=1UAVyKPpYk2S8nQYshKD1x5xgWR-hCTchLChxNU0JVA,2577
 cycode/cli/apps/status/models.py,sha256=2SBpJlh_MNCPxv8aXMV5D4GfK6-G-XB0GlMFZ3Nep_o,1907
@@ -94,7 +94,7 @@ cycode/cli/apps/status/version_command.py,sha256=c6Iko_rmZo9T_kQSd3HUloBi40Qv7cj
 cycode/cli/cli_types.py,sha256=QbFWJLtlsEnHGdqdHbLolJqT57RfhocvsPAhlcNcCRE,3354
 cycode/cli/config.py,sha256=Op-lX_neanJtvPvoOEx4ByBdveh5ygElIga1FdSHhOI,299
 cycode/cli/console.py,sha256=vp-DHwlkwpwdsPyfwGdjsPF-6-Bi3f8W7G-W_YXCMH8,1914
-cycode/cli/consts.py,sha256=YjP_aIOayJkGEc87hTCMZBmRAFtXgM-dspVF51nVSCs,9029
+cycode/cli/consts.py,sha256=DA64POP-TWR4jTOkBzzN-paHX_S_9A_qPs6GCIW-U9s,9651
 cycode/cli/exceptions/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 cycode/cli/exceptions/custom_exceptions.py,sha256=mTPLPI6V5JrEM6IQ8f7An9P207oYWEgJr-l9UpieSWk,4232
 cycode/cli/exceptions/handle_ai_remediation_errors.py,sha256=mA70upSYXK3rL_fmanzKYeUzLENhpXdkW8k3aIHrKzU,785
@@ -105,7 +105,7 @@ cycode/cli/exceptions/handle_scan_errors.py,sha256=1KkBFb7LniflYRr0vMl1FPIZDALPZ
 cycode/cli/files_collector/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 cycode/cli/files_collector/commit_range_documents.py,sha256=ZAU9er6m8_IF9y9KxZoiEaDOiZC35SEfv5VtqKp4AZc,20484
 cycode/cli/files_collector/documents_walk_ignore.py,sha256=G4e-3vfP4WZ7wa9-VbZ66xCKCioTXnPBfbrs4_hh8xY,4705
-cycode/cli/files_collector/file_excluder.py,sha256=5Y7MM6_4x4FRKCV47D_hOXIg9BzYLHqwoWkmtV7Lt4I,7562
+cycode/cli/files_collector/file_excluder.py,sha256=YSMzmsv1qJFwOIWk6JzXLYPOd2YNHZGqf854n_DSnWI,8233
 cycode/cli/files_collector/iac/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 cycode/cli/files_collector/iac/tf_content_generator.py,sha256=a65zA0Ejv_LSA5jac2omHck4IKoNS5MX6v6ltF2wo4E,2873
 cycode/cli/files_collector/models/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -186,16 +186,16 @@ cycode/cli/utils/version_checker.py,sha256=0f5PaTk02ZkDxzBqZOeMV9mU_CWcx6HKW80jU
 cycode/cli/utils/yaml_utils.py,sha256=R-tqzl0C-zoa42rS7nfWeHu3GJ0jpbQUyyqYYU2hleM,1818
 cycode/config.py,sha256=jHORGZQcAXkAGSf2XreC-RQoc8sdNWja69QKtPWTbWo,1044
 cycode/cyclient/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-cycode/cyclient/ai_security_manager_client.py,sha256=aZKsq2yB7ZiptMGj0RBTuPYyjYiJ5FTjNTi5_i37t4Q,4282
+cycode/cyclient/ai_security_manager_client.py,sha256=EhPzP_jia9c9hw98UgHBemwFKluuhg5AJVAfngXkWfM,4543
 cycode/cyclient/ai_security_manager_service_config.py,sha256=83pQzgOb93JW6E-dznJkI4c0NEXmQRlx9YZKMmjVwp8,808
 cycode/cyclient/auth_client.py,sha256=TwbmZ358Ancf-Q-IZolvfljZ8691_6botsqd0R0PLPk,2105
-cycode/cyclient/base_token_auth_client.py,sha256=3JIrSz0-ywVTIfxIs2zs5aGcE-x5GW3AgPHm9qA4ZDE,3857
+cycode/cyclient/base_token_auth_client.py,sha256=mn5580d7A8Z2_zcdFKIJk78ADK7mViwTcV-4QCpRCGo,4369
 cycode/cyclient/cli_activation_client.py,sha256=QaATFVABf0vQ6cTU_dCN9UT6fUkJf5qciaK8W7gQDrc,419
 cycode/cyclient/client_creator.py,sha256=-bsOT7M28yx-WT1UhSzENY8N9EgoQIv48Smrr9izQTI,2849
 cycode/cyclient/config.py,sha256=Le3YYp7LyclTwS4vonuFipfRA1qhyC28_muUtxpnImc,1387
 cycode/cyclient/config_dev.py,sha256=GJ3w8Q-ow5SvXGBFA34eaeoI6GhitavAGy3UfcUh9OU,120
 cycode/cyclient/cycode_client.py,sha256=ifZMA4RlFw4QNHku5ZxmtUKglH2yd1479yYZGDtxVvw,257
-cycode/cyclient/cycode_client_base.py,sha256=N9awOsu0nP7yuRbYwFNbkhR99L2Z84k7sC-wiFaC8Pw,10018
+cycode/cyclient/cycode_client_base.py,sha256=_53DmKG_RAEY9INP_27s9FPa4_StQI5IgWt1Pl_Coq8,10193
 cycode/cyclient/cycode_dev_based_client.py,sha256=8LxeUWizXzZ0ilpwb6Q0W4ZMLZyZdKPzgpl5xcRmT8c,664
 cycode/cyclient/cycode_oidc_based_client.py,sha256=AVKBlqFOLYUQVxyPquvFwqnYpD6xgU_R6GJiQCWEdJw,857
 cycode/cyclient/cycode_token_based_client.py,sha256=frbrv1jzF388SXqHNNkZ95Hbx7Vjd3UXwWnq7nVxYN8,848
@@ -207,8 +207,8 @@ cycode/cyclient/report_client.py,sha256=Scq30NeJPzgXv0hPLO1U05AdE9i_2iu6cIrSKpEJ
 cycode/cyclient/scan_client.py,sha256=6TK5FQkfrvV7PHqRnUzEn1PBNd2oPYVamvIixcUfe3c,16755
 cycode/cyclient/scan_config_base.py,sha256=mXsPZGYCtp85rv5GIige40yQZXuRcEKUW-VQJ0vgFzk,1201
 cycode/logger.py,sha256=EfZGRK6VC5rE_LAjIcRrHFiQCueylCDXoG6bvGkrIME,2111
-cycode-3.16.1.dev7.dist-info/METADATA,sha256=Y43jx9fdiLPcKksSYbryGOKCx5bTtFWzTYbmb5Qn5HI,89245
-cycode-3.16.1.dev7.dist-info/WHEEL,sha256=zp0Cn7JsFoX2ATtOhtaFYIiE2rmFAD4OcMhtUki8W3U,88
-cycode-3.16.1.dev7.dist-info/entry_points.txt,sha256=iDcVJM8ByLElVgvBgtYxDjw1kT7O8Mo0LcWZIT5L3Ig,45
-cycode-3.16.1.dev7.dist-info/licenses/LICENCE,sha256=2Wx4N6mD_4xB7-E3hPkZ3MPhpJy__k_I8MaCSO-PDRo,1068
-cycode-3.16.1.dev7.dist-info/RECORD,,
+cycode-3.16.2.dist-info/METADATA,sha256=Q_Nj8ZMYzcoZ-A5GR8HdYMlABqiGnVculq-0e3_OUbM,89240
+cycode-3.16.2.dist-info/WHEEL,sha256=zp0Cn7JsFoX2ATtOhtaFYIiE2rmFAD4OcMhtUki8W3U,88
+cycode-3.16.2.dist-info/entry_points.txt,sha256=iDcVJM8ByLElVgvBgtYxDjw1kT7O8Mo0LcWZIT5L3Ig,45
+cycode-3.16.2.dist-info/licenses/LICENCE,sha256=2Wx4N6mD_4xB7-E3hPkZ3MPhpJy__k_I8MaCSO-PDRo,1068
+cycode-3.16.2.dist-info/RECORD,,