PyPI - cycode - Versions diffs - 3.16.1.dev8__tar.gz → 3.16.2.dev2__tar.gz - Mend

cycode 3.16.1.dev8tar.gz → 3.16.2.dev2tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (213) hide show

{cycode-3.16.1.dev8 → cycode-3.16.2.dev2}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: cycode
-Version: 3.16.1.dev8
+Version: 3.16.2.dev2
 Summary: Boost security in your dev lifecycle via SAST, SCA, Secrets & IaC scanning.
 License-Expression: MIT
 License-File: LICENCE

{cycode-3.16.1.dev8 → cycode-3.16.2.dev2}/cycode/__init__.py RENAMED Viewed

@@ -5,4 +5,4 @@ import time as _time
 # end-to-end scan duration from the moment the user actually triggered it.
 _BOOT_WALL: float = _time.time()
-__version__ = '3.16.1.dev8'  # DON'T TOUCH. Placeholder. Will be filled automatically on poetry build from Git Tag
+__version__ = '3.16.2.dev2'  # DON'T TOUCH. Placeholder. Will be filled automatically on poetry build from Git Tag

{cycode-3.16.1.dev8 → cycode-3.16.2.dev2}/cycode/cli/apps/ai_guardrails/ides/_plugin_utils.py RENAMED Viewed

@@ -26,13 +26,26 @@ def load_plugin_json(path: Path) -> Optional[dict]:
         return None
+def build_global_config_file(path: Path, mcp_servers: Optional[dict]) -> Optional[dict]:
+    """Wrap a global (non-plugin) MCP config into the session-context file shape.
+    Returns ``{"path": <full path>, "content": <{"mcpServers": ...} JSON>}`` when
+    there are servers, else ``None``. ``content`` is normalized to the canonical
+    ``{"mcpServers": {...}}`` shape, dropping everything else in the source file.
+    """
+    servers = mcp_servers or {}
+    if not servers:
+        return None
+    return {'path': str(path), 'content': json.dumps({'mcpServers': servers})}
 def walk_enabled_plugins(
     plugin_entries: dict[str, Any],
     is_enabled: Callable[[Any], bool],
     locate_dir: Callable[[str, str], Optional[Path]],
     read_plugin: Callable[[Path], tuple[dict, dict]],
-) -> tuple[dict, dict]:
-    """Iterate enabled plugins; merge their MCP servers and metadata.
+) -> dict:
+    """Iterate enabled plugins and build their inventory metadata.
     Args:
         plugin_entries: ``{<plugin>@<marketplace>: settings}`` map from the IDE config.
@@ -42,13 +55,13 @@ def walk_enabled_plugins(
             filesystem path or None if it can't be resolved.
         read_plugin: given the plugin path, returns ``(entry_fields, servers)``:
             ``entry_fields`` are extra metadata to attach to the inventory entry
-            (name/version/description/...), ``servers`` are MCP servers contributed.
+            (name/version/description/...); ``servers`` are the plugin's MCP
+            servers, which ``read_plugin`` uses to derive that metadata.
-    Returns ``(merged_mcp_servers, enriched_plugins)``. Plugin keys without
-    ``@`` (or that fail to resolve to a directory) still appear in the
-    inventory with just ``{'enabled': True}`` so we don't silently drop them.
+    Returns ``enriched_plugins``. Plugin keys without ``@`` (or that fail to
+    resolve to a directory) still appear in the inventory with just
+    ``{'enabled': True}`` so we don't silently drop them.
     """
-    merged_mcp: dict = {}
     enriched: dict = {}
     for plugin_key, settings in plugin_entries.items():
@@ -66,8 +79,7 @@ def walk_enabled_plugins(
         if plugin_dir is None:
             continue
-        plugin_fields, servers = read_plugin(plugin_dir)
+        plugin_fields, _ = read_plugin(plugin_dir)
         entry.update(plugin_fields)
-        merged_mcp.update(servers)
-    return merged_mcp, enriched
+    return enriched

{cycode-3.16.1.dev8 → cycode-3.16.2.dev2}/cycode/cli/apps/ai_guardrails/ides/base.py RENAMED Viewed

@@ -167,10 +167,16 @@ class IDE(ABC):
         """
         return None
-    def get_session_context(self) -> tuple[dict, dict]:
-        """Return ``(mcp_servers, enabled_plugins)`` for session-context reporting.
+    def get_session_context(self) -> tuple[Optional[dict], dict]:
+        """Return ``(global_config_file, enabled_plugins)`` for session-context reporting.
-        Default: empty dicts (no plugin system, no discoverable MCP config).
+        ``global_config_file`` is the IDE's global (non-plugin) MCP config as
+        ``{"path": <full path>, "content": <normalized {"mcpServers": ...} JSON>}``,
+        or ``None`` when there is no global MCP config. ``enabled_plugins`` maps each
+        enabled plugin key to its metadata (including its own ``mcp_config_file``
+        content and ``mcp_config_file_path``).
+        Default: ``(None, {})`` (no plugin system, no discoverable MCP config).
         Override to surface MCP/plugin inventory.
         """
-        return {}, {}
+        return None, {}

{cycode-3.16.1.dev8 → cycode-3.16.2.dev2}/cycode/cli/apps/ai_guardrails/ides/claude_code.py RENAMED Viewed

@@ -7,7 +7,11 @@ from pathlib import Path
 from typing import ClassVar, Optional
 from cycode.cli.apps.ai_guardrails.consts import CYCODE_SCAN_PROMPT_COMMAND, CYCODE_SESSION_START_COMMAND
-from cycode.cli.apps.ai_guardrails.ides._plugin_utils import load_plugin_json, walk_enabled_plugins
+from cycode.cli.apps.ai_guardrails.ides._plugin_utils import (
+    build_global_config_file,
+    load_plugin_json,
+    walk_enabled_plugins,
+)
 from cycode.cli.apps.ai_guardrails.ides.base import IDE, DecisionAction, HookDecision
 from cycode.cli.apps.ai_guardrails.scan.payload import AIHookPayload
 from cycode.cli.apps.ai_guardrails.scan.types import AiHookEventType
@@ -184,14 +188,17 @@ def _read_claude_plugin(plugin_dir: Path) -> tuple[dict, dict]:
         if field in manifest:
             entry[field] = manifest[field]
-    mcp_config = load_plugin_json(plugin_dir / '.mcp.json') or {}
+    mcp_config_path = plugin_dir / '.mcp.json'
+    mcp_config = load_plugin_json(mcp_config_path) or {}
     servers: dict = mcp_config.get('mcpServers') or {}
     if servers:
         entry['mcp_server_names'] = list(servers.keys())
+        entry['mcp_config_file_path'] = str(mcp_config_path)
+        entry['mcp_config_file'] = json.dumps(mcp_config)
     return entry, servers
-def resolve_plugins(settings: dict) -> tuple[dict, dict]:
+def resolve_plugins(settings: dict) -> dict:
     """Walk Claude Code's ``enabledPlugins`` via the shared plugin walker.
     Each enabled plugin's marketplace is resolved through
@@ -354,15 +361,11 @@ class ClaudeCode(IDE):
         config = load_claude_config()
         return _email_from_config(config) if config else None
-    def get_session_context(self) -> tuple[dict, dict]:
+    def get_session_context(self) -> tuple[Optional[dict], dict]:
         config = load_claude_config()
-        mcp_servers: dict = dict(get_mcp_servers(config) or {}) if config else {}
+        global_config_file = build_global_config_file(_CLAUDE_CONFIG_PATH, get_mcp_servers(config)) if config else None
         settings = load_claude_settings()
-        if settings:
-            plugin_mcp, enriched_plugins = resolve_plugins(settings)
-            mcp_servers.update(plugin_mcp)
-        else:
-            enriched_plugins = {}
+        enriched_plugins = resolve_plugins(settings) if settings else {}
-        return mcp_servers, enriched_plugins
+        return global_config_file, enriched_plugins

{cycode-3.16.1.dev8 → cycode-3.16.2.dev2}/cycode/cli/apps/ai_guardrails/ides/codex.py RENAMED Viewed

@@ -14,7 +14,11 @@ else:  # pragma: no cover - py<3.11 fallback
     import tomli as tomllib
 from cycode.cli.apps.ai_guardrails.consts import CYCODE_SCAN_PROMPT_COMMAND, CYCODE_SESSION_START_COMMAND
-from cycode.cli.apps.ai_guardrails.ides._plugin_utils import load_plugin_json, walk_enabled_plugins
+from cycode.cli.apps.ai_guardrails.ides._plugin_utils import (
+    build_global_config_file,
+    load_plugin_json,
+    walk_enabled_plugins,
+)
 from cycode.cli.apps.ai_guardrails.ides.base import IDE, DecisionAction, HookDecision
 from cycode.cli.apps.ai_guardrails.scan.payload import AIHookPayload
 from cycode.cli.apps.ai_guardrails.scan.types import AiHookEventType
@@ -129,16 +133,19 @@ def _read_codex_plugin(plugin_dir: Path) -> tuple[dict, dict]:
     mcp_ref = manifest.get('mcpServers')
     if not mcp_ref:
         return entry, {}
-    mcp_doc = load_plugin_json(plugin_dir / mcp_ref) or {}
+    mcp_config_path = plugin_dir / mcp_ref
+    mcp_doc = load_plugin_json(mcp_config_path) or {}
     servers = mcp_doc.get('mcpServers', mcp_doc)
     if not isinstance(servers, dict):
         servers = {}
     if servers:
         entry['mcp_server_names'] = list(servers.keys())
+        entry['mcp_config_file_path'] = str(mcp_config_path)
+        entry['mcp_config_file'] = json.dumps(mcp_doc)
     return entry, servers
-def _resolve_codex_plugins(config: dict) -> tuple[dict, dict]:
+def _resolve_codex_plugins(config: dict) -> dict:
     """Walk enabled ``[plugins."<plugin>@<marketplace>"]`` entries."""
     return walk_enabled_plugins(
         plugin_entries=config.get('plugins') or {},
@@ -297,13 +304,14 @@ class Codex(IDE):
     def get_user_email(self) -> Optional[str]:
         return _email_from_auth()
-    def get_session_context(self) -> tuple[dict, dict]:
+    def get_session_context(self) -> tuple[Optional[dict], dict]:
         config = _load_codex_config()
         if not config:
-            return {}, {}
-        # Codex stores MCP servers under `[mcp_servers.<name>]`. Plugin-contributed
-        # servers (via `[plugins."<plugin>@<marketplace>"]`) merge on top.
-        mcp_servers: dict = dict(config.get('mcp_servers') or {})
-        plugin_mcp, enriched_plugins = _resolve_codex_plugins(config)
-        mcp_servers.update(plugin_mcp)
-        return mcp_servers, enriched_plugins
+            return None, {}
+        # Codex stores MCP servers under `[mcp_servers.<name>]`; the global config
+        # file becomes its own session-context file. Plugins (via
+        # `[plugins."<plugin>@<marketplace>"]`) carry their own config files.
+        config_path = _codex_config_toml_path('user')
+        global_config_file = build_global_config_file(config_path, config.get('mcp_servers'))
+        enriched_plugins = _resolve_codex_plugins(config)
+        return global_config_file, enriched_plugins

{cycode-3.16.1.dev8 → cycode-3.16.2.dev2}/cycode/cli/apps/ai_guardrails/ides/cursor.py RENAMED Viewed

@@ -6,6 +6,7 @@ from pathlib import Path
 from typing import ClassVar, Optional
 from cycode.cli.apps.ai_guardrails.consts import CYCODE_SCAN_PROMPT_COMMAND, CYCODE_SESSION_START_COMMAND
+from cycode.cli.apps.ai_guardrails.ides._plugin_utils import build_global_config_file
 from cycode.cli.apps.ai_guardrails.ides.base import IDE, DecisionAction, HookDecision
 from cycode.cli.apps.ai_guardrails.scan.payload import AIHookPayload
 from cycode.cli.apps.ai_guardrails.scan.types import AiHookEventType
@@ -39,9 +40,14 @@ def _user_hooks_dir() -> Path:
     return Path.home() / '.config' / 'Cursor'
+def _cursor_mcp_config_path() -> Path:
+    """User-scope Cursor MCP config path (``~/.cursor/mcp.json``, all platforms)."""
+    return Path.home() / '.cursor' / _MCP_CONFIG_FILENAME
 def _load_cursor_mcp_config(config_path: Optional[Path] = None) -> Optional[dict]:
     """Load and parse `~/.cursor/mcp.json`. Returns None if missing/invalid."""
-    path = config_path or (Path.home() / '.cursor' / _MCP_CONFIG_FILENAME)
+    path = config_path or _cursor_mcp_config_path()
     if not path.exists():
         logger.debug('Cursor MCP config file not found, %s', {'path': str(path)})
         return None
@@ -113,7 +119,10 @@ class Cursor(IDE):
             ide_version=raw_payload.get('cursor_version'),
         )
-    def get_session_context(self) -> tuple[dict, dict]:
+    def get_session_context(self) -> tuple[Optional[dict], dict]:
         config = _load_cursor_mcp_config()
-        mcp_servers = dict((config or {}).get('mcpServers') or {}) if config else {}
-        return mcp_servers, {}
+        if not config:
+            return None, {}
+        config_path = _cursor_mcp_config_path()
+        global_config_file = build_global_config_file(config_path, config.get('mcpServers'))
+        return global_config_file, {}

{cycode-3.16.1.dev8 → cycode-3.16.2.dev2}/cycode/cli/apps/ai_guardrails/session_start_command.py RENAMED Viewed

@@ -1,5 +1,8 @@
 """Handle AI guardrails session start: auth, conversation creation, session context."""
+import os
+import platform
+import socket
 import sys
 from typing import TYPE_CHECKING, Annotated, Optional
@@ -20,14 +23,25 @@ if TYPE_CHECKING:
 logger = get_logger('AI Guardrails')
+def _get_logged_in_user() -> Optional[str]:
+    """Best-effort OS account name (whoami). None if it can't be resolved."""
+    try:
+        return os.getlogin()
+    except Exception:
+        return None
 def _report_session_context(ai_client: 'AISecurityManagerClient', ide: IDE, user_email: Optional[str]) -> None:
     """Report IDE session context to the AI security manager. Never raises."""
     try:
-        mcp_servers, enabled_plugins = ide.get_session_context()
-        if not mcp_servers and not enabled_plugins:
+        global_config_file, enabled_plugins = ide.get_session_context()
+        if not global_config_file and not enabled_plugins:
             return
         ai_client.report_session_context(
-            mcp_servers=mcp_servers,
+            hostname=socket.gethostname(),
+            platform=platform.system(),
+            logged_in_user=_get_logged_in_user(),
+            global_config_file=global_config_file,
             enabled_plugins=enabled_plugins,
             user_email=user_email,
         )

{cycode-3.16.1.dev8 → cycode-3.16.2.dev2}/cycode/cli/consts.py RENAMED Viewed

@@ -53,6 +53,30 @@ SECRET_SCAN_FILE_EXTENSIONS_TO_IGNORE = (
     '.iso',
 )
+# Fallback block-list used for SAST only when the server does not return scannable extensions
+# (e.g. when the customer has custom rules, any text file is scannable). These are non-source
+# data formats that can slip past binary detection (the EICAR test file and ClamAV signature
+# databases are plain ASCII) and may be quarantined by object-storage antivirus after upload.
+SAST_SCAN_FILE_EXTENSIONS_TO_IGNORE = (
+    '.bin',
+    '.cvd',
+    '.cld',
+    '.cud',
+    '.hdb',
+    '.hsb',
+    '.mdb',
+    '.msb',
+    '.ndb',
+    '.ndu',
+    '.ldb',
+    '.ldu',
+    '.idb',
+    '.fp',
+    '.sfp',
+    '.ign',
+    '.ign2',
+)
 SCA_CONFIGURATION_SCAN_SUPPORTED_FILES = (  # keep in lowercase
     'cargo.lock',
     'cargo.toml',

{cycode-3.16.1.dev8 → cycode-3.16.2.dev2}/cycode/cli/files_collector/file_excluder.py RENAMED Viewed

@@ -63,7 +63,10 @@ class Excluder:
         }
         self._non_scannable_extensions: dict[str, tuple[str, ...]] = {
             consts.SECRET_SCAN_TYPE: consts.SECRET_SCAN_FILE_EXTENSIONS_TO_IGNORE,
+            consts.SAST_SCAN_TYPE: consts.SAST_SCAN_FILE_EXTENSIONS_TO_IGNORE,
         }
+        # Tracks scan types for which the SAST fallback log has already been emitted (log once, not per file)
+        self._logged_sast_fallback = False
     def apply_scan_config(self, scan_type: str, scan_config: 'models.ScanConfiguration') -> None:
         if scan_config.scannable_extensions:
@@ -86,6 +89,11 @@ class Excluder:
         non_scannable_extensions = self._non_scannable_extensions.get(scan_type)
         if non_scannable_extensions:
+            # For SAST, reaching the block-list means the server returned no scannable extensions
+            # (e.g. custom rules, or no remote config). Log once so this is diagnosable.
+            if scan_type == consts.SAST_SCAN_TYPE and not self._logged_sast_fallback:
+                self._logged_sast_fallback = True
+                logger.debug('No scannable extensions provided for SAST; falling back to the built-in ignore list')
             return not filename.endswith(non_scannable_extensions)
         return True

{cycode-3.16.1.dev8 → cycode-3.16.2.dev2}/cycode/cyclient/ai_security_manager_client.py RENAMED Viewed

@@ -93,15 +93,21 @@ class AISecurityManagerClient:
     def report_session_context(
         self,
-        mcp_servers: Optional[dict] = None,
+        hostname: Optional[str] = None,
+        platform: Optional[str] = None,
+        logged_in_user: Optional[str] = None,
+        global_config_file: Optional[dict] = None,
         enabled_plugins: Optional[dict] = None,
         user_email: Optional[str] = None,
     ) -> None:
         """Report session context to the backend."""
         body: dict = {
-            'mcp_servers': mcp_servers,
-            'enabled_plugins': enabled_plugins,
+            'hostname': hostname,
+            'platform': platform,
+            'logged_in_user': logged_in_user,
             'user_email': user_email,
+            'global_config_file': global_config_file,
+            'enabled_plugins': enabled_plugins,
         }
         try:

{cycode-3.16.1.dev8 → cycode-3.16.2.dev2}/pyproject.toml RENAMED Viewed

@@ -21,7 +21,7 @@ classifiers = [
     "Programming Language :: Python :: 3.14",
 ]
 dynamic = ["dependencies"]
-version = "3.16.1.dev8"
+version = "3.16.2.dev2"
 [project.scripts]
 cycode = "cycode.cli.app:app"