PyPI - cycode - Versions diffs - 3.9.0__tar.gz → 3.9.1.dev1__tar.gz - Mend

cycode 3.9.0tar.gz → 3.9.1.dev1tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (195) hide show

{cycode-3.9.0 → cycode-3.9.1.dev1}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: cycode
-Version: 3.9.0
+Version: 3.9.1.dev1
 Summary: Boost security in your dev lifecycle via SAST, SCA, Secrets & IaC scanning.
 License-Expression: MIT
 License-File: LICENCE

cycode-3.9.1.dev1/cycode/__init__.py ADDED Viewed

	@@ -0,0 +1 @@
1	+ __version__ = '3.9.1.dev1' # DON'T TOUCH. Placeholder. Will be filled automatically on poetry build from Git Tag

{cycode-3.9.0 → cycode-3.9.1.dev1}/cycode/cli/apps/ai_guardrails/command_utils.py RENAMED Viewed

@@ -12,24 +12,26 @@ from cycode.cli.apps.ai_guardrails.consts import AIIDEType
 console = Console()
-def validate_and_parse_ide(ide: str) -> AIIDEType:
-    """Validate IDE parameter and convert to AIIDEType enum.
+def validate_and_parse_ide(ide: str) -> Optional[AIIDEType]:
+    """Validate IDE parameter, returning None for 'all'.
     Args:
-        ide: IDE name string (e.g., 'cursor')
+        ide: IDE name string (e.g., 'cursor', 'claude-code', 'all')
     Returns:
-        AIIDEType enum value
+        AIIDEType enum value, or None if 'all' was specified
     Raises:
         typer.Exit: If IDE is invalid
     """
+    if ide.lower() == 'all':
+        return None
     try:
         return AIIDEType(ide.lower())
     except ValueError:
         valid_ides = ', '.join([ide_type.value for ide_type in AIIDEType])
         console.print(
-            f'[red]Error:[/] Invalid IDE "{ide}". Supported IDEs: {valid_ides}',
+            f'[red]Error:[/] Invalid IDE "{ide}". Supported IDEs: {valid_ides}, all',
             style='bold red',
         )
         raise typer.Exit(1) from None

cycode-3.9.1.dev1/cycode/cli/apps/ai_guardrails/consts.py ADDED Viewed

@@ -0,0 +1,133 @@
+"""Constants for AI guardrails hooks management.
+Currently supports:
+- Cursor
+- Claude Code
+"""
+import platform
+from enum import Enum
+from pathlib import Path
+from typing import NamedTuple
+class AIIDEType(str, Enum):
+    """Supported AI IDE types."""
+    CURSOR = 'cursor'
+    CLAUDE_CODE = 'claude-code'
+class PolicyMode(str, Enum):
+    """Policy enforcement mode for global mode and per-feature actions."""
+    BLOCK = 'block'
+    WARN = 'warn'
+class IDEConfig(NamedTuple):
+    """Configuration for an AI IDE."""
+    name: str
+    hooks_dir: Path
+    repo_hooks_subdir: str  # Subdirectory in repo for hooks (e.g., '.cursor')
+    hooks_file_name: str
+    hook_events: list[str]  # List of supported hook event names for this IDE
+def _get_cursor_hooks_dir() -> Path:
+    """Get Cursor hooks directory based on platform."""
+    if platform.system() == 'Darwin':
+        return Path.home() / '.cursor'
+    if platform.system() == 'Windows':
+        return Path.home() / 'AppData' / 'Roaming' / 'Cursor'
+    # Linux
+    return Path.home() / '.config' / 'Cursor'
+def _get_claude_code_hooks_dir() -> Path:
+    """Get Claude Code hooks directory.
+    Claude Code uses ~/.claude on all platforms.
+    """
+    return Path.home() / '.claude'
+# IDE-specific configurations
+IDE_CONFIGS: dict[AIIDEType, IDEConfig] = {
+    AIIDEType.CURSOR: IDEConfig(
+        name='Cursor',
+        hooks_dir=_get_cursor_hooks_dir(),
+        repo_hooks_subdir='.cursor',
+        hooks_file_name='hooks.json',
+        hook_events=['beforeSubmitPrompt', 'beforeReadFile', 'beforeMCPExecution'],
+    ),
+    AIIDEType.CLAUDE_CODE: IDEConfig(
+        name='Claude Code',
+        hooks_dir=_get_claude_code_hooks_dir(),
+        repo_hooks_subdir='.claude',
+        hooks_file_name='settings.json',
+        hook_events=['UserPromptSubmit', 'PreToolUse:Read', 'PreToolUse:mcp'],
+    ),
+}
+# Default IDE
+DEFAULT_IDE = AIIDEType.CURSOR
+# Command used in hooks
+CYCODE_SCAN_PROMPT_COMMAND = 'cycode ai-guardrails scan'
+def _get_cursor_hooks_config() -> dict:
+    """Get Cursor-specific hooks configuration."""
+    config = IDE_CONFIGS[AIIDEType.CURSOR]
+    hooks = {event: [{'command': CYCODE_SCAN_PROMPT_COMMAND}] for event in config.hook_events}
+    return {
+        'version': 1,
+        'hooks': hooks,
+    }
+def _get_claude_code_hooks_config() -> dict:
+    """Get Claude Code-specific hooks configuration.
+    Claude Code uses a different hook format with nested structure:
+    - hooks are arrays of objects with 'hooks' containing command arrays
+    - PreToolUse uses 'matcher' field to specify which tools to intercept
+    """
+    command = f'{CYCODE_SCAN_PROMPT_COMMAND} --ide claude-code'
+    return {
+        'hooks': {
+            'UserPromptSubmit': [
+                {
+                    'hooks': [{'type': 'command', 'command': command}],
+                }
+            ],
+            'PreToolUse': [
+                {
+                    'matcher': 'Read',
+                    'hooks': [{'type': 'command', 'command': command}],
+                },
+                {
+                    'matcher': 'mcp__.*',
+                    'hooks': [{'type': 'command', 'command': command}],
+                },
+            ],
+        },
+    }
+def get_hooks_config(ide: AIIDEType) -> dict:
+    """Get the hooks configuration for a specific IDE.
+    Args:
+        ide: The AI IDE type
+    Returns:
+        Dict with hooks configuration for the specified IDE
+    """
+    if ide == AIIDEType.CLAUDE_CODE:
+        return _get_claude_code_hooks_config()
+    return _get_cursor_hooks_config()

{cycode-3.9.0 → cycode-3.9.1.dev1}/cycode/cli/apps/ai_guardrails/hooks_manager.py RENAMED Viewed

@@ -59,9 +59,27 @@ def save_hooks_file(hooks_path: Path, hooks_config: dict) -> bool:
 def is_cycode_hook_entry(entry: dict) -> bool:
-    """Check if a hook entry is from cycode-cli."""
+    """Check if a hook entry is from cycode-cli.
+    Handles both Cursor format (flat) and Claude Code format (nested).
+    Cursor format: {"command": "cycode ai-guardrails scan"}
+    Claude Code format: {"hooks": [{"type": "command", "command": "cycode ai-guardrails scan --ide claude-code"}]}
+    """
+    # Check Cursor format (flat command)
     command = entry.get('command', '')
-    return CYCODE_SCAN_PROMPT_COMMAND in command
+    if CYCODE_SCAN_PROMPT_COMMAND in command:
+        return True
+    # Check Claude Code format (nested hooks array)
+    hooks = entry.get('hooks', [])
+    for hook in hooks:
+        if isinstance(hook, dict):
+            hook_command = hook.get('command', '')
+            if CYCODE_SCAN_PROMPT_COMMAND in hook_command:
+                return True
+    return False
 def install_hooks(
@@ -185,7 +203,15 @@ def get_hooks_status(scope: str = 'user', repo_path: Optional[Path] = None, ide:
     ide_config = IDE_CONFIGS[ide]
     has_cycode_hooks = False
     for event in ide_config.hook_events:
-        entries = existing.get('hooks', {}).get(event, [])
+        # Handle event:matcher format
+        if ':' in event:
+            actual_event, matcher_prefix = event.split(':', 1)
+            all_entries = existing.get('hooks', {}).get(actual_event, [])
+            # Filter entries by matcher
+            entries = [e for e in all_entries if e.get('matcher', '').startswith(matcher_prefix)]
+        else:
+            entries = existing.get('hooks', {}).get(event, [])
         cycode_entries = [e for e in entries if is_cycode_hook_entry(e)]
         if cycode_entries:
             has_cycode_hooks = True

{cycode-3.9.0 → cycode-3.9.1.dev1}/cycode/cli/apps/ai_guardrails/install_command.py RENAMED Viewed

@@ -11,7 +11,7 @@ from cycode.cli.apps.ai_guardrails.command_utils import (
     validate_and_parse_ide,
     validate_scope,
 )
-from cycode.cli.apps.ai_guardrails.consts import IDE_CONFIGS
+from cycode.cli.apps.ai_guardrails.consts import IDE_CONFIGS, AIIDEType
 from cycode.cli.apps.ai_guardrails.hooks_manager import install_hooks
 from cycode.cli.utils.sentry import add_breadcrumb
@@ -30,9 +30,9 @@ def install_command(
         str,
         typer.Option(
             '--ide',
-            help='IDE to install hooks for (e.g., "cursor"). Defaults to cursor.',
+            help='IDE to install hooks for (e.g., "cursor", "claude-code", or "all" for all IDEs). Defaults to cursor.',
         ),
-    ] = 'cursor',
+    ] = AIIDEType.CURSOR,
     repo_path: Annotated[
         Optional[Path],
         typer.Option(
@@ -54,6 +54,7 @@ def install_command(
         cycode ai-guardrails install                    # Install for all projects (user scope)
         cycode ai-guardrails install --scope repo       # Install for current repo only
         cycode ai-guardrails install --ide cursor       # Install for Cursor IDE
+        cycode ai-guardrails install --ide all          # Install for all supported IDEs
         cycode ai-guardrails install --scope repo --repo-path /path/to/repo
     """
     add_breadcrumb('ai-guardrails-install')
@@ -62,17 +63,35 @@ def install_command(
     validate_scope(scope)
     repo_path = resolve_repo_path(scope, repo_path)
     ide_type = validate_and_parse_ide(ide)
-    ide_name = IDE_CONFIGS[ide_type].name
-    success, message = install_hooks(scope, repo_path, ide=ide_type)
-    if success:
-        console.print(f'[green]✓[/] {message}')
+    ides_to_install: list[AIIDEType] = list(AIIDEType) if ide_type is None else [ide_type]
+    results: list[tuple[str, bool, str]] = []
+    for current_ide in ides_to_install:
+        ide_name = IDE_CONFIGS[current_ide].name
+        success, message = install_hooks(scope, repo_path, ide=current_ide)
+        results.append((ide_name, success, message))
+    # Report results for each IDE
+    any_success = False
+    all_success = True
+    for _ide_name, success, message in results:
+        if success:
+            console.print(f'[green]✓[/] {message}')
+            any_success = True
+        else:
+            console.print(f'[red]✗[/] {message}', style='bold red')
+            all_success = False
+    if any_success:
         console.print()
         console.print('[bold]Next steps:[/]')
-        console.print(f'1. Restart {ide_name} to activate the hooks')
+        successful_ides = [name for name, success, _ in results if success]
+        ide_list = ', '.join(successful_ides)
+        console.print(f'1. Restart {ide_list} to activate the hooks')
         console.print('2. (Optional) Customize policy in ~/.cycode/ai-guardrails.yaml')
         console.print()
         console.print('[dim]The hooks will scan prompts, file reads, and MCP tool calls for secrets.[/]')
-    else:
-        console.print(f'[red]✗[/] {message}', style='bold red')
+    if not all_success:
         raise typer.Exit(1)

{cycode-3.9.0 → cycode-3.9.1.dev1}/cycode/cli/apps/ai_guardrails/scan/handlers.py RENAMED Viewed

@@ -13,6 +13,7 @@ from typing import Callable, Optional
 import typer
+from cycode.cli.apps.ai_guardrails.consts import PolicyMode
 from cycode.cli.apps.ai_guardrails.scan.payload import AIHookPayload
 from cycode.cli.apps.ai_guardrails.scan.policy import get_policy_value
 from cycode.cli.apps.ai_guardrails.scan.response_builders import get_response_builder
@@ -46,7 +47,7 @@ def handle_before_submit_prompt(ctx: typer.Context, payload: AIHookPayload, poli
         ai_client.create_event(payload, AiHookEventType.PROMPT, AIHookOutcome.ALLOWED)
         return response_builder.allow_prompt()
-    mode = get_policy_value(policy, 'mode', default='block')
+    mode = get_policy_value(policy, 'mode', default=PolicyMode.BLOCK)
     prompt = payload.prompt or ''
     max_bytes = get_policy_value(policy, 'secrets', 'max_bytes', default=200000)
     timeout_ms = get_policy_value(policy, 'secrets', 'timeout_ms', default=30000)
@@ -55,29 +56,26 @@ def handle_before_submit_prompt(ctx: typer.Context, payload: AIHookPayload, poli
     scan_id = None
     block_reason = None
     outcome = AIHookOutcome.ALLOWED
+    error_message = None
     try:
         violation_summary, scan_id = _scan_text_for_secrets(ctx, clipped, timeout_ms)
-        if (
-            violation_summary
-            and get_policy_value(prompt_config, 'action', default='block') == 'block'
-            and mode == 'block'
-        ):
-            outcome = AIHookOutcome.BLOCKED
+        if violation_summary:
             block_reason = BlockReason.SECRETS_IN_PROMPT
-            user_message = f'{violation_summary}. Remove secrets before sending.'
-            response = response_builder.deny_prompt(user_message)
-        else:
-            if violation_summary:
-                outcome = AIHookOutcome.WARNED
-            response = response_builder.allow_prompt()
-        return response
+            action = get_policy_value(prompt_config, 'action', default=PolicyMode.BLOCK)
+            if action == PolicyMode.BLOCK and mode == PolicyMode.BLOCK:
+                outcome = AIHookOutcome.BLOCKED
+                user_message = f'{violation_summary}. Remove secrets before sending.'
+                return response_builder.deny_prompt(user_message)
+            outcome = AIHookOutcome.WARNED
+        return response_builder.allow_prompt()
     except Exception as e:
         outcome = (
             AIHookOutcome.ALLOWED if get_policy_value(policy, 'fail_open', default=True) else AIHookOutcome.BLOCKED
         )
-        block_reason = BlockReason.SCAN_FAILURE if outcome == AIHookOutcome.BLOCKED else None
+        block_reason = BlockReason.SCAN_FAILURE
+        error_message = str(e)
         raise e
     finally:
         ai_client.create_event(
@@ -86,6 +84,7 @@ def handle_before_submit_prompt(ctx: typer.Context, payload: AIHookPayload, poli
             outcome,
             scan_id=scan_id,
             block_reason=block_reason,
+            error_message=error_message,
         )
@@ -106,38 +105,53 @@ def handle_before_read_file(ctx: typer.Context, payload: AIHookPayload, policy:
         ai_client.create_event(payload, AiHookEventType.FILE_READ, AIHookOutcome.ALLOWED)
         return response_builder.allow_permission()
-    mode = get_policy_value(policy, 'mode', default='block')
+    mode = get_policy_value(policy, 'mode', default=PolicyMode.BLOCK)
     file_path = payload.file_path or ''
-    action = get_policy_value(file_read_config, 'action', default='block')
+    action = get_policy_value(file_read_config, 'action', default=PolicyMode.BLOCK)
     scan_id = None
     block_reason = None
     outcome = AIHookOutcome.ALLOWED
+    error_message = None
     try:
         # Check path-based denylist first
-        if is_denied_path(file_path, policy) and action == 'block':
-            outcome = AIHookOutcome.BLOCKED
+        if is_denied_path(file_path, policy):
             block_reason = BlockReason.SENSITIVE_PATH
-            user_message = f'Cycode blocked sending {file_path} to the AI (sensitive path policy).'
-            return response_builder.deny_permission(
+            if mode == PolicyMode.BLOCK and action == PolicyMode.BLOCK:
+                outcome = AIHookOutcome.BLOCKED
+                user_message = f'Cycode blocked sending {file_path} to the AI (sensitive path policy).'
+                return response_builder.deny_permission(
+                    user_message,
+                    'This file path is classified as sensitive; do not read/send it to the model.',
+                )
+            # Warn mode - ask user for permission
+            outcome = AIHookOutcome.WARNED
+            user_message = f'Cycode flagged {file_path} as sensitive. Allow reading?'
+            return response_builder.ask_permission(
                 user_message,
-                'This file path is classified as sensitive; do not read/send it to the model.',
+                'This file path is classified as sensitive; proceed with caution.',
             )
         # Scan file content if enabled
         if get_policy_value(file_read_config, 'scan_content', default=True):
             violation_summary, scan_id = _scan_path_for_secrets(ctx, file_path, policy)
-            if violation_summary and action == 'block' and mode == 'block':
-                outcome = AIHookOutcome.BLOCKED
+            if violation_summary:
                 block_reason = BlockReason.SECRETS_IN_FILE
-                user_message = f'Cycode blocked reading {file_path}. {violation_summary}'
-                return response_builder.deny_permission(
+                if mode == PolicyMode.BLOCK and action == PolicyMode.BLOCK:
+                    outcome = AIHookOutcome.BLOCKED
+                    user_message = f'Cycode blocked reading {file_path}. {violation_summary}'
+                    return response_builder.deny_permission(
+                        user_message,
+                        'Secrets detected; do not send this file to the model.',
+                    )
+                # Warn mode - ask user for permission
+                outcome = AIHookOutcome.WARNED
+                user_message = f'Cycode detected secrets in {file_path}. {violation_summary}'
+                return response_builder.ask_permission(
                     user_message,
-                    'Secrets detected; do not send this file to the model.',
+                    'Possible secrets detected; proceed with caution.',
                 )
-            if violation_summary:
-                outcome = AIHookOutcome.WARNED
             return response_builder.allow_permission()
         return response_builder.allow_permission()
@@ -145,7 +159,8 @@ def handle_before_read_file(ctx: typer.Context, payload: AIHookPayload, policy:
         outcome = (
             AIHookOutcome.ALLOWED if get_policy_value(policy, 'fail_open', default=True) else AIHookOutcome.BLOCKED
         )
-        block_reason = BlockReason.SCAN_FAILURE if outcome == AIHookOutcome.BLOCKED else None
+        block_reason = BlockReason.SCAN_FAILURE
+        error_message = str(e)
         raise e
     finally:
         ai_client.create_event(
@@ -154,6 +169,7 @@ def handle_before_read_file(ctx: typer.Context, payload: AIHookPayload, policy:
             outcome,
             scan_id=scan_id,
             block_reason=block_reason,
+            error_message=error_message,
         )
@@ -175,26 +191,27 @@ def handle_before_mcp_execution(ctx: typer.Context, payload: AIHookPayload, poli
         ai_client.create_event(payload, AiHookEventType.MCP_EXECUTION, AIHookOutcome.ALLOWED)
         return response_builder.allow_permission()
-    mode = get_policy_value(policy, 'mode', default='block')
+    mode = get_policy_value(policy, 'mode', default=PolicyMode.BLOCK)
     tool = payload.mcp_tool_name or 'unknown'
     args = payload.mcp_arguments or {}
     args_text = args if isinstance(args, str) else json.dumps(args)
     max_bytes = get_policy_value(policy, 'secrets', 'max_bytes', default=200000)
     timeout_ms = get_policy_value(policy, 'secrets', 'timeout_ms', default=30000)
     clipped = truncate_utf8(args_text, max_bytes)
-    action = get_policy_value(mcp_config, 'action', default='block')
+    action = get_policy_value(mcp_config, 'action', default=PolicyMode.BLOCK)
     scan_id = None
     block_reason = None
     outcome = AIHookOutcome.ALLOWED
+    error_message = None
     try:
         if get_policy_value(mcp_config, 'scan_arguments', default=True):
             violation_summary, scan_id = _scan_text_for_secrets(ctx, clipped, timeout_ms)
             if violation_summary:
-                if mode == 'block' and action == 'block':
+                block_reason = BlockReason.SECRETS_IN_MCP_ARGS
+                if mode == PolicyMode.BLOCK and action == PolicyMode.BLOCK:
                     outcome = AIHookOutcome.BLOCKED
-                    block_reason = BlockReason.SECRETS_IN_MCP_ARGS
                     user_message = f'Cycode blocked MCP tool call "{tool}". {violation_summary}'
                     return response_builder.deny_permission(
                         user_message,
@@ -211,7 +228,8 @@ def handle_before_mcp_execution(ctx: typer.Context, payload: AIHookPayload, poli
         outcome = (
             AIHookOutcome.ALLOWED if get_policy_value(policy, 'fail_open', default=True) else AIHookOutcome.BLOCKED
         )
-        block_reason = BlockReason.SCAN_FAILURE if outcome == AIHookOutcome.BLOCKED else None
+        block_reason = BlockReason.SCAN_FAILURE
+        error_message = str(e)
         raise e
     finally:
         ai_client.create_event(
@@ -220,6 +238,7 @@ def handle_before_mcp_execution(ctx: typer.Context, payload: AIHookPayload, poli
             outcome,
             scan_id=scan_id,
             block_reason=block_reason,
+            error_message=error_message,
         )

cycode 3.9.0__tar.gz → 3.9.1.dev1__tar.gz

cycode 3.9.0tar.gz → 3.9.1.dev1tar.gz