cycode 3.16.1.dev7__tar.gz → 3.16.2__tar.gz

{cycode-3.16.1.dev7 → cycode-3.16.2}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: cycode
-Version: 3.16.1.dev7
+Version: 3.16.2
 Summary: Boost security in your dev lifecycle via SAST, SCA, Secrets & IaC scanning.
 License-Expression: MIT
 License-File: LICENCE

cycode-3.16.2/cycode/__init__.py

@@ -0,0 +1,8 @@
+import time as _time
+
+# Unix-epoch wall clock captured at the earliest possible moment of CLI
+# startup. Sent as `scan_parameters.cli_start_time` so the server can compute
+# end-to-end scan duration from the moment the user actually triggered it.
+_BOOT_WALL: float = _time.time()
+
+__version__ = '3.16.2'  # DON'T TOUCH. Placeholder. Will be filled automatically on poetry build from Git Tag

{cycode-3.16.1.dev7 → cycode-3.16.2}/cycode/cli/app.py

@@ -1,3 +1,4 @@
+import importlib
 import logging
 import sys
 from typing import Annotated, Optional
@@ -10,12 +11,7 @@ from typer._completion_shared import Shells
 from typer.completion import install_callback, show_callback
 
 from cycode import __version__
-from cycode.cli.apps import ai_guardrails, ai_remediation, auth, configure, ignore, report, report_import, scan, status
 from cycode.cli.apps.api import get_platform_group
-
-if sys.version_info >= (3, 10):
-    from cycode.cli.apps import mcp
-
 from cycode.cli.cli_types import OutputTypeOption
 from cycode.cli.consts import CLI_CONTEXT_SETTINGS
 from cycode.cli.printers import ConsolePrinter
@@ -46,17 +42,88 @@ app = typer.Typer(
     add_completion=False,  # we add it manually to control the rich help panel
 )
 
-app.add_typer(ai_guardrails.app)
-app.add_typer(ai_remediation.app)
-app.add_typer(auth.app)
-app.add_typer(configure.app)
-app.add_typer(ignore.app)
-app.add_typer(report.app)
-app.add_typer(report_import.app)
-app.add_typer(scan.app)
-app.add_typer(status.app)
+# Top-level subcommand → module providing its Typer app. Peeking at sys.argv
+# lets us import only the invoked subapp on the hot path (e.g.
+# `cycode ai-guardrails scan`), skipping ~300ms of unrelated imports.
+_SUBAPP_MODULES: dict[str, str] = {
+    'ai-guardrails': 'cycode.cli.apps.ai_guardrails',
+    'ai-remediation': 'cycode.cli.apps.ai_remediation',
+    'auth': 'cycode.cli.apps.auth',
+    'configure': 'cycode.cli.apps.configure',
+    'ignore': 'cycode.cli.apps.ignore',
+    'report': 'cycode.cli.apps.report',
+    'import': 'cycode.cli.apps.report_import',
+    'scan': 'cycode.cli.apps.scan',
+    'status': 'cycode.cli.apps.status',
+}
 if sys.version_info >= (3, 10):
-    app.add_typer(mcp.app)
+    _SUBAPP_MODULES['mcp'] = 'cycode.cli.apps.mcp'
+
+# Aliases: alternate spellings that resolve to a primary subcommand key.
+_SUBAPP_ALIASES: dict[str, str] = {
+    'ai_remediation': 'ai-remediation',  # backward-compat underscore form
+    'version': 'status',
+}
+
+# Root-level options that consume a following value; argv-peek must skip past
+# both the option and its value when scanning for the first positional arg.
+_ROOT_OPTS_WITH_VALUE = frozenset(
+    {
+        '--output',
+        '-o',
+        '--user-agent',
+        '--client-secret',
+        '--client-id',
+        '--id-token',
+        '--show-completion',
+    }
+)
+
+
+def _detect_invocation() -> tuple[Optional[str], Optional[str]]:
+    """Return (top-level-subapp, second-level-subcommand) parsed from sys.argv.
+
+    Both values may be None: when no positional arg matches a known subapp,
+    or when the user only provided a top-level subcommand.
+    """
+    positionals = []
+    args = sys.argv[1:]
+    i = 0
+    while i < len(args):
+        arg = args[i]
+        if arg in _ROOT_OPTS_WITH_VALUE:
+            i += 2
+        elif arg.startswith('-'):
+            # Any flag form: short, long, --key=value, or '--' marker. Skip the token only.
+            i += 1
+        else:
+            positionals.append(arg)
+            if len(positionals) >= 2:
+                break
+            i += 1
+    subapp = positionals[0] if positionals else None
+    subapp = _SUBAPP_ALIASES.get(subapp, subapp)
+    if subapp not in _SUBAPP_MODULES:
+        return None, None
+    subcommand = positionals[1] if len(positionals) >= 2 else None
+    return subapp, subcommand
+
+
+# Computed once at import; reused by lazy registration and the version-checker skip.
+_INVOKED_SUBAPP, _INVOKED_SUBCOMMAND = _detect_invocation()
+
+
+def _register_subapps(only: Optional[str]) -> None:
+    if only is not None:
+        app.add_typer(importlib.import_module(_SUBAPP_MODULES[only]).app)
+        return
+    # Cold path (--help, completion, unknown subcommand): load all modules so
+    # root help lists everything. Deduplicate since aliases share modules.
+    for module_path in dict.fromkeys(_SUBAPP_MODULES.values()):
+        app.add_typer(importlib.import_module(module_path).app)
+
+
+_register_subapps(_INVOKED_SUBAPP)
 
 # Register the `platform` command group (dynamically built from the OpenAPI spec).
 # The group itself is constructed cheaply at import time; the spec is only fetched
@@ -81,6 +148,12 @@ typer.main.get_group = _get_group_with_platform
 
 
 def check_latest_version_on_close(ctx: typer.Context) -> None:
+    # Skip on `cycode ai-guardrails scan` — it emits JSON to stdout, so an
+    # upgrade notice would corrupt the response. Human-driven sibling commands
+    # (install, uninstall, status, session-start) still get the notice.
+    if (_INVOKED_SUBAPP, _INVOKED_SUBCOMMAND) == ('ai-guardrails', 'scan'):
+        return
+
     output = ctx.obj.get('output')
     # don't print anything if the output is JSON
     if output == OutputTypeOption.JSON:

{cycode-3.16.1.dev7 → cycode-3.16.2}/cycode/cli/apps/ai_guardrails/ides/_plugin_utils.py

@@ -26,13 +26,26 @@ def load_plugin_json(path: Path) -> Optional[dict]:
         return None
 
 
+def build_global_config_file(path: Path, mcp_servers: Optional[dict]) -> Optional[dict]:
+    """Wrap a global (non-plugin) MCP config into the session-context file shape.
+
+    Returns ``{"path": <full path>, "content": <{"mcpServers": ...} JSON>}`` when
+    there are servers, else ``None``. ``content`` is normalized to the canonical
+    ``{"mcpServers": {...}}`` shape, dropping everything else in the source file.
+    """
+    servers = mcp_servers or {}
+    if not servers:
+        return None
+    return {'path': str(path), 'content': json.dumps({'mcpServers': servers})}
+
+
 def walk_enabled_plugins(
     plugin_entries: dict[str, Any],
     is_enabled: Callable[[Any], bool],
     locate_dir: Callable[[str, str], Optional[Path]],
     read_plugin: Callable[[Path], tuple[dict, dict]],
-) -> tuple[dict, dict]:
-    """Iterate enabled plugins; merge their MCP servers and metadata.
+) -> dict:
+    """Iterate enabled plugins and build their inventory metadata.
 
     Args:
         plugin_entries: ``{<plugin>@<marketplace>: settings}`` map from the IDE config.
@@ -42,13 +55,13 @@ def walk_enabled_plugins(
             filesystem path or None if it can't be resolved.
         read_plugin: given the plugin path, returns ``(entry_fields, servers)``:
             ``entry_fields`` are extra metadata to attach to the inventory entry
-            (name/version/description/...), ``servers`` are MCP servers contributed.
+            (name/version/description/...); ``servers`` are the plugin's MCP
+            servers, which ``read_plugin`` uses to derive that metadata.
 
-    Returns ``(merged_mcp_servers, enriched_plugins)``. Plugin keys without
-    ``@`` (or that fail to resolve to a directory) still appear in the
-    inventory with just ``{'enabled': True}`` so we don't silently drop them.
+    Returns ``enriched_plugins``. Plugin keys without ``@`` (or that fail to
+    resolve to a directory) still appear in the inventory with just
+    ``{'enabled': True}`` so we don't silently drop them.
     """
-    merged_mcp: dict = {}
     enriched: dict = {}
 
     for plugin_key, settings in plugin_entries.items():
@@ -66,8 +79,7 @@ def walk_enabled_plugins(
         if plugin_dir is None:
             continue
 
-        plugin_fields, servers = read_plugin(plugin_dir)
+        plugin_fields, _ = read_plugin(plugin_dir)
         entry.update(plugin_fields)
-        merged_mcp.update(servers)
 
-    return merged_mcp, enriched
+    return enriched

{cycode-3.16.1.dev7 → cycode-3.16.2}/cycode/cli/apps/ai_guardrails/ides/base.py

@@ -167,10 +167,16 @@ class IDE(ABC):
         """
         return None
 
-    def get_session_context(self) -> tuple[dict, dict]:
-        """Return ``(mcp_servers, enabled_plugins)`` for session-context reporting.
+    def get_session_context(self) -> tuple[Optional[dict], dict]:
+        """Return ``(global_config_file, enabled_plugins)`` for session-context reporting.
 
-        Default: empty dicts (no plugin system, no discoverable MCP config).
+        ``global_config_file`` is the IDE's global (non-plugin) MCP config as
+        ``{"path": <full path>, "content": <normalized {"mcpServers": ...} JSON>}``,
+        or ``None`` when there is no global MCP config. ``enabled_plugins`` maps each
+        enabled plugin key to its metadata (including its own ``mcp_config_file``
+        content and ``mcp_config_file_path``).
+
+        Default: ``(None, {})`` (no plugin system, no discoverable MCP config).
         Override to surface MCP/plugin inventory.
         """
-        return {}, {}
+        return None, {}

{cycode-3.16.1.dev7 → cycode-3.16.2}/cycode/cli/apps/ai_guardrails/ides/claude_code.py

@@ -7,7 +7,11 @@ from pathlib import Path
 from typing import ClassVar, Optional
 
 from cycode.cli.apps.ai_guardrails.consts import CYCODE_SCAN_PROMPT_COMMAND, CYCODE_SESSION_START_COMMAND
-from cycode.cli.apps.ai_guardrails.ides._plugin_utils import load_plugin_json, walk_enabled_plugins
+from cycode.cli.apps.ai_guardrails.ides._plugin_utils import (
+    build_global_config_file,
+    load_plugin_json,
+    walk_enabled_plugins,
+)
 from cycode.cli.apps.ai_guardrails.ides.base import IDE, DecisionAction, HookDecision
 from cycode.cli.apps.ai_guardrails.scan.payload import AIHookPayload
 from cycode.cli.apps.ai_guardrails.scan.types import AiHookEventType
@@ -184,14 +188,17 @@ def _read_claude_plugin(plugin_dir: Path) -> tuple[dict, dict]:
         if field in manifest:
             entry[field] = manifest[field]
 
-    mcp_config = load_plugin_json(plugin_dir / '.mcp.json') or {}
+    mcp_config_path = plugin_dir / '.mcp.json'
+    mcp_config = load_plugin_json(mcp_config_path) or {}
     servers: dict = mcp_config.get('mcpServers') or {}
     if servers:
         entry['mcp_server_names'] = list(servers.keys())
+        entry['mcp_config_file_path'] = str(mcp_config_path)
+        entry['mcp_config_file'] = json.dumps(mcp_config)
     return entry, servers
 
 
-def resolve_plugins(settings: dict) -> tuple[dict, dict]:
+def resolve_plugins(settings: dict) -> dict:
     """Walk Claude Code's ``enabledPlugins`` via the shared plugin walker.
 
     Each enabled plugin's marketplace is resolved through
@@ -354,15 +361,11 @@ class ClaudeCode(IDE):
         config = load_claude_config()
         return _email_from_config(config) if config else None
 
-    def get_session_context(self) -> tuple[dict, dict]:
+    def get_session_context(self) -> tuple[Optional[dict], dict]:
         config = load_claude_config()
-        mcp_servers: dict = dict(get_mcp_servers(config) or {}) if config else {}
+        global_config_file = build_global_config_file(_CLAUDE_CONFIG_PATH, get_mcp_servers(config)) if config else None
 
         settings = load_claude_settings()
-        if settings:
-            plugin_mcp, enriched_plugins = resolve_plugins(settings)
-            mcp_servers.update(plugin_mcp)
-        else:
-            enriched_plugins = {}
+        enriched_plugins = resolve_plugins(settings) if settings else {}
 
-        return mcp_servers, enriched_plugins
+        return global_config_file, enriched_plugins

{cycode-3.16.1.dev7 → cycode-3.16.2}/cycode/cli/apps/ai_guardrails/ides/codex.py

@@ -14,7 +14,11 @@ else:  # pragma: no cover - py<3.11 fallback
     import tomli as tomllib
 
 from cycode.cli.apps.ai_guardrails.consts import CYCODE_SCAN_PROMPT_COMMAND, CYCODE_SESSION_START_COMMAND
-from cycode.cli.apps.ai_guardrails.ides._plugin_utils import load_plugin_json, walk_enabled_plugins
+from cycode.cli.apps.ai_guardrails.ides._plugin_utils import (
+    build_global_config_file,
+    load_plugin_json,
+    walk_enabled_plugins,
+)
 from cycode.cli.apps.ai_guardrails.ides.base import IDE, DecisionAction, HookDecision
 from cycode.cli.apps.ai_guardrails.scan.payload import AIHookPayload
 from cycode.cli.apps.ai_guardrails.scan.types import AiHookEventType
@@ -129,16 +133,19 @@ def _read_codex_plugin(plugin_dir: Path) -> tuple[dict, dict]:
     mcp_ref = manifest.get('mcpServers')
     if not mcp_ref:
         return entry, {}
-    mcp_doc = load_plugin_json(plugin_dir / mcp_ref) or {}
+    mcp_config_path = plugin_dir / mcp_ref
+    mcp_doc = load_plugin_json(mcp_config_path) or {}
     servers = mcp_doc.get('mcpServers', mcp_doc)
     if not isinstance(servers, dict):
         servers = {}
     if servers:
         entry['mcp_server_names'] = list(servers.keys())
+        entry['mcp_config_file_path'] = str(mcp_config_path)
+        entry['mcp_config_file'] = json.dumps(mcp_doc)
     return entry, servers
 
 
-def _resolve_codex_plugins(config: dict) -> tuple[dict, dict]:
+def _resolve_codex_plugins(config: dict) -> dict:
     """Walk enabled ``[plugins."<plugin>@<marketplace>"]`` entries."""
     return walk_enabled_plugins(
         plugin_entries=config.get('plugins') or {},
@@ -297,13 +304,14 @@ class Codex(IDE):
     def get_user_email(self) -> Optional[str]:
         return _email_from_auth()
 
-    def get_session_context(self) -> tuple[dict, dict]:
+    def get_session_context(self) -> tuple[Optional[dict], dict]:
         config = _load_codex_config()
         if not config:
-            return {}, {}
-        # Codex stores MCP servers under `[mcp_servers.<name>]`. Plugin-contributed
-        # servers (via `[plugins."<plugin>@<marketplace>"]`) merge on top.
-        mcp_servers: dict = dict(config.get('mcp_servers') or {})
-        plugin_mcp, enriched_plugins = _resolve_codex_plugins(config)
-        mcp_servers.update(plugin_mcp)
-        return mcp_servers, enriched_plugins
+            return None, {}
+        # Codex stores MCP servers under `[mcp_servers.<name>]`; the global config
+        # file becomes its own session-context file. Plugins (via
+        # `[plugins."<plugin>@<marketplace>"]`) carry their own config files.
+        config_path = _codex_config_toml_path('user')
+        global_config_file = build_global_config_file(config_path, config.get('mcp_servers'))
+        enriched_plugins = _resolve_codex_plugins(config)
+        return global_config_file, enriched_plugins

{cycode-3.16.1.dev7 → cycode-3.16.2}/cycode/cli/apps/ai_guardrails/ides/cursor.py

@@ -6,6 +6,7 @@ from pathlib import Path
 from typing import ClassVar, Optional
 
 from cycode.cli.apps.ai_guardrails.consts import CYCODE_SCAN_PROMPT_COMMAND, CYCODE_SESSION_START_COMMAND
+from cycode.cli.apps.ai_guardrails.ides._plugin_utils import build_global_config_file
 from cycode.cli.apps.ai_guardrails.ides.base import IDE, DecisionAction, HookDecision
 from cycode.cli.apps.ai_guardrails.scan.payload import AIHookPayload
 from cycode.cli.apps.ai_guardrails.scan.types import AiHookEventType
@@ -39,9 +40,14 @@ def _user_hooks_dir() -> Path:
     return Path.home() / '.config' / 'Cursor'
 
 
+def _cursor_mcp_config_path() -> Path:
+    """User-scope Cursor MCP config path (``~/.cursor/mcp.json``, all platforms)."""
+    return Path.home() / '.cursor' / _MCP_CONFIG_FILENAME
+
+
 def _load_cursor_mcp_config(config_path: Optional[Path] = None) -> Optional[dict]:
     """Load and parse `~/.cursor/mcp.json`. Returns None if missing/invalid."""
-    path = config_path or (Path.home() / '.cursor' / _MCP_CONFIG_FILENAME)
+    path = config_path or _cursor_mcp_config_path()
     if not path.exists():
         logger.debug('Cursor MCP config file not found, %s', {'path': str(path)})
         return None
@@ -113,7 +119,10 @@ class Cursor(IDE):
             ide_version=raw_payload.get('cursor_version'),
         )
 
-    def get_session_context(self) -> tuple[dict, dict]:
+    def get_session_context(self) -> tuple[Optional[dict], dict]:
         config = _load_cursor_mcp_config()
-        mcp_servers = dict((config or {}).get('mcpServers') or {}) if config else {}
-        return mcp_servers, {}
+        if not config:
+            return None, {}
+        config_path = _cursor_mcp_config_path()
+        global_config_file = build_global_config_file(config_path, config.get('mcpServers'))
+        return global_config_file, {}

{cycode-3.16.1.dev7 → cycode-3.16.2}/cycode/cli/apps/ai_guardrails/session_start_command.py

@@ -1,5 +1,8 @@
 """Handle AI guardrails session start: auth, conversation creation, session context."""
 
+import os
+import platform
+import socket
 import sys
 from typing import TYPE_CHECKING, Annotated, Optional
 
@@ -20,14 +23,25 @@ if TYPE_CHECKING:
 logger = get_logger('AI Guardrails')
 
 
+def _get_logged_in_user() -> Optional[str]:
+    """Best-effort OS account name (whoami). None if it can't be resolved."""
+    try:
+        return os.getlogin()
+    except Exception:
+        return None
+
+
 def _report_session_context(ai_client: 'AISecurityManagerClient', ide: IDE, user_email: Optional[str]) -> None:
     """Report IDE session context to the AI security manager. Never raises."""
     try:
-        mcp_servers, enabled_plugins = ide.get_session_context()
-        if not mcp_servers and not enabled_plugins:
+        global_config_file, enabled_plugins = ide.get_session_context()
+        if not global_config_file and not enabled_plugins:
             return
         ai_client.report_session_context(
-            mcp_servers=mcp_servers,
+            hostname=socket.gethostname(),
+            platform=platform.system(),
+            logged_in_user=_get_logged_in_user(),
+            global_config_file=global_config_file,
             enabled_plugins=enabled_plugins,
             user_email=user_email,
         )

{cycode-3.16.1.dev7 → cycode-3.16.2}/cycode/cli/apps/scan/code_scanner.py

@@ -204,18 +204,21 @@ def _get_scan_documents_thread_func(
                 'zip_file_size': zip_file_size,
             },
         )
-        report_scan_status(
-            cycode_client,
-            scan_type,
-            scan_id,
-            scan_completed,
-            relevant_detections_count,
-            detections_count,
-            len(batch),
-            zip_file_size,
-            command_scan_type,
-            error_message,
-        )
+        # Sync flows already received the full result inline; only async flows
+        # need a separate status report to signal polling completion.
+        if not should_use_sync_flow:
+            report_scan_status(
+                cycode_client,
+                scan_type,
+                scan_id,
+                scan_completed,
+                relevant_detections_count,
+                detections_count,
+                len(batch),
+                zip_file_size,
+                command_scan_type,
+                error_message,
+            )
 
         return scan_id, error, local_scan_result
 

{cycode-3.16.1.dev7 → cycode-3.16.2}/cycode/cli/apps/scan/scan_parameters.py

@@ -2,6 +2,7 @@ from typing import Optional
 
 import typer
 
+from cycode import _BOOT_WALL
 from cycode.cli.apps.scan.remote_url_resolver import get_remote_url_scan_parameter
 from cycode.cli.utils.scan_utils import generate_unique_scan_id
 from cycode.logger import get_logger
@@ -17,6 +18,7 @@ def _get_default_scan_parameters(ctx: typer.Context) -> dict:
         'license_compliance': ctx.obj.get('license-compliance'),
         'command_type': ctx.info_name.replace('-', '_'),  # save backward compatibility
         'aggregation_id': str(generate_unique_scan_id()),
+        'cli_start_time': _BOOT_WALL,
     }
 
 

{cycode-3.16.1.dev7 → cycode-3.16.2}/cycode/cli/apps/scan/scan_result.py

@@ -189,6 +189,10 @@ def enrich_scan_result_with_data_from_detection_rules(
         for detection in detections_per_file.detections:
             detection_rule_ids.add(detection.detection_rule_id)
 
+    if not detection_rule_ids:
+        logger.debug('No detections to enrich, skipping detection_rules fetch')
+        return
+
     detection_rules = cycode_client.get_detection_rules(detection_rule_ids)
     detection_rules_by_id = {detection_rule.detection_rule_id: detection_rule for detection_rule in detection_rules}
 

{cycode-3.16.1.dev7 → cycode-3.16.2}/cycode/cli/consts.py

@@ -53,6 +53,30 @@ SECRET_SCAN_FILE_EXTENSIONS_TO_IGNORE = (
     '.iso',
 )
 
+# Fallback block-list used for SAST only when the server does not return scannable extensions
+# (e.g. when the customer has custom rules, any text file is scannable). These are non-source
+# data formats that can slip past binary detection (the EICAR test file and ClamAV signature
+# databases are plain ASCII) and may be quarantined by object-storage antivirus after upload.
+SAST_SCAN_FILE_EXTENSIONS_TO_IGNORE = (
+    '.bin',
+    '.cvd',
+    '.cld',
+    '.cud',
+    '.hdb',
+    '.hsb',
+    '.mdb',
+    '.msb',
+    '.ndb',
+    '.ndu',
+    '.ldb',
+    '.ldu',
+    '.idb',
+    '.fp',
+    '.sfp',
+    '.ign',
+    '.ign2',
+)
+
 SCA_CONFIGURATION_SCAN_SUPPORTED_FILES = (  # keep in lowercase
     'cargo.lock',
     'cargo.toml',

{cycode-3.16.1.dev7 → cycode-3.16.2}/cycode/cli/files_collector/file_excluder.py

@@ -63,7 +63,10 @@ class Excluder:
         }
         self._non_scannable_extensions: dict[str, tuple[str, ...]] = {
             consts.SECRET_SCAN_TYPE: consts.SECRET_SCAN_FILE_EXTENSIONS_TO_IGNORE,
+            consts.SAST_SCAN_TYPE: consts.SAST_SCAN_FILE_EXTENSIONS_TO_IGNORE,
         }
+        # Tracks scan types for which the SAST fallback log has already been emitted (log once, not per file)
+        self._logged_sast_fallback = False
 
     def apply_scan_config(self, scan_type: str, scan_config: 'models.ScanConfiguration') -> None:
         if scan_config.scannable_extensions:
@@ -86,6 +89,11 @@ class Excluder:
 
         non_scannable_extensions = self._non_scannable_extensions.get(scan_type)
         if non_scannable_extensions:
+            # For SAST, reaching the block-list means the server returned no scannable extensions
+            # (e.g. custom rules, or no remote config). Log once so this is diagnosable.
+            if scan_type == consts.SAST_SCAN_TYPE and not self._logged_sast_fallback:
+                self._logged_sast_fallback = True
+                logger.debug('No scannable extensions provided for SAST; falling back to the built-in ignore list')
             return not filename.endswith(non_scannable_extensions)
 
         return True

{cycode-3.16.1.dev7 → cycode-3.16.2}/cycode/cyclient/ai_security_manager_client.py

@@ -93,15 +93,21 @@ class AISecurityManagerClient:
 
     def report_session_context(
         self,
-        mcp_servers: Optional[dict] = None,
+        hostname: Optional[str] = None,
+        platform: Optional[str] = None,
+        logged_in_user: Optional[str] = None,
+        global_config_file: Optional[dict] = None,
         enabled_plugins: Optional[dict] = None,
         user_email: Optional[str] = None,
     ) -> None:
         """Report session context to the backend."""
         body: dict = {
-            'mcp_servers': mcp_servers,
-            'enabled_plugins': enabled_plugins,
+            'hostname': hostname,
+            'platform': platform,
+            'logged_in_user': logged_in_user,
             'user_email': user_email,
+            'global_config_file': global_config_file,
+            'enabled_plugins': enabled_plugins,
         }
 
         try:

{cycode-3.16.1.dev7 → cycode-3.16.2}/cycode/cyclient/base_token_auth_client.py

@@ -24,19 +24,10 @@ class BaseTokenAuthClient(CycodeClient, ABC):
         self.client_id = client_id
 
         self._credentials_manager = CredentialsManager()
-        # load cached access token
-        access_token, expires_in, creator = self._credentials_manager.get_access_token()
-
-        self._access_token = self._expires_in = None
-        expected_creator = self._create_jwt_creator()
-        if creator == expected_creator:
-            # we must be sure that cached access token is created using the same client id and client secret.
-            # because client id and client secret could be passed via command, via env vars or via config file.
-            # we must not use cached access token if client id or client secret was changed.
-            self._access_token = access_token
-            self._expires_in = arrow.get(expires_in) if expires_in else None
-
+        self._access_token = None
+        self._expires_in = None
         self._lock = Lock()
+        self._load_token_from_disk()
 
     def get_access_token(self) -> str:
         with self._lock:
@@ -51,8 +42,30 @@ class BaseTokenAuthClient(CycodeClient, ABC):
             self._credentials_manager.update_access_token(None, None, None)
 
     def refresh_access_token_if_needed(self) -> None:
-        if self._access_token is None or self._expires_in is None or arrow.utcnow() >= self._expires_in:
-            self.refresh_access_token()
+        if self._has_valid_token():
+            return
+        # Re-check disk before doing the network refresh: another client instance
+        # in this process may have already refreshed and persisted a fresh token.
+        self._load_token_from_disk()
+        if self._has_valid_token():
+            return
+        self.refresh_access_token()
+
+    def _has_valid_token(self) -> bool:
+        return self._access_token is not None and self._expires_in is not None and arrow.utcnow() < self._expires_in
+
+    def _load_token_from_disk(self) -> None:
+        access_token, expires_in, creator = self._credentials_manager.get_access_token()
+        expected_creator = self._create_jwt_creator()
+        # We must be sure that cached access token is created using the same client id and client secret.
+        # Because client id and client secret could be passed via command, via env vars or via config file.
+        # We must not use cached access token if client id or client secret was changed.
+        if creator == expected_creator and access_token:
+            self._access_token = access_token
+            self._expires_in = arrow.get(expires_in) if expires_in else None
+        else:
+            self._access_token = None
+            self._expires_in = None
 
     def refresh_access_token(self) -> None:
         auth_response = self._request_new_access_token()