CM-58331-review

Author: Ilanlido

cycode/cli/apps/ai_guardrails/consts.py

@@ -18,6 +18,13 @@ class AIIDEType(str, Enum):
     CLAUDE_CODE = 'claude-code'
 
 
+class PolicyMode(str, Enum):
+    """Policy enforcement mode for global mode and per-feature actions."""
+
+    BLOCK = 'block'
+    WARN = 'warn'
+
+
 class IDEConfig(NamedTuple):
     """Configuration for an AI IDE."""
 

cycode/cli/apps/ai_guardrails/install_command.py

@@ -32,7 +32,7 @@ def install_command(
             '--ide',
             help='IDE to install hooks for (e.g., "cursor", "claude-code", or "all" for all IDEs). Defaults to cursor.',
         ),
-    ] = 'cursor',
+    ] = AIIDEType.CURSOR,
     repo_path: Annotated[
         Optional[Path],
         typer.Option(

cycode/cli/apps/ai_guardrails/scan/handlers.py

@@ -13,6 +13,7 @@
 
 import typer
 
+from cycode.cli.apps.ai_guardrails.consts import PolicyMode
 from cycode.cli.apps.ai_guardrails.scan.payload import AIHookPayload
 from cycode.cli.apps.ai_guardrails.scan.policy import get_policy_value
 from cycode.cli.apps.ai_guardrails.scan.response_builders import get_response_builder
@@ -46,7 +47,7 @@ def handle_before_submit_prompt(ctx: typer.Context, payload: AIHookPayload, poli
         ai_client.create_event(payload, AiHookEventType.PROMPT, AIHookOutcome.ALLOWED)
         return response_builder.allow_prompt()
 
-    mode = get_policy_value(policy, 'mode', default='block')
+    mode = get_policy_value(policy, 'mode', default=PolicyMode.BLOCK)
     prompt = payload.prompt or ''
     max_bytes = get_policy_value(policy, 'secrets', 'max_bytes', default=200000)
     timeout_ms = get_policy_value(policy, 'secrets', 'timeout_ms', default=30000)
@@ -62,7 +63,8 @@ def handle_before_submit_prompt(ctx: typer.Context, payload: AIHookPayload, poli
 
         if violation_summary:
             block_reason = BlockReason.SECRETS_IN_PROMPT
-            if get_policy_value(prompt_config, 'action', default='block') == 'block' and mode == 'block':
+            action = get_policy_value(prompt_config, 'action', default=PolicyMode.BLOCK)
+            if action == PolicyMode.BLOCK and mode == PolicyMode.BLOCK:
                 outcome = AIHookOutcome.BLOCKED
                 user_message = f'{violation_summary}. Remove secrets before sending.'
                 return response_builder.deny_prompt(user_message)
@@ -103,9 +105,9 @@ def handle_before_read_file(ctx: typer.Context, payload: AIHookPayload, policy:
         ai_client.create_event(payload, AiHookEventType.FILE_READ, AIHookOutcome.ALLOWED)
         return response_builder.allow_permission()
 
-    mode = get_policy_value(policy, 'mode', default='block')
+    mode = get_policy_value(policy, 'mode', default=PolicyMode.BLOCK)
     file_path = payload.file_path or ''
-    action = get_policy_value(file_read_config, 'action', default='block')
+    action = get_policy_value(file_read_config, 'action', default=PolicyMode.BLOCK)
 
     scan_id = None
     block_reason = None
@@ -116,7 +118,7 @@ def handle_before_read_file(ctx: typer.Context, payload: AIHookPayload, policy:
         # Check path-based denylist first
         if is_denied_path(file_path, policy):
             block_reason = BlockReason.SENSITIVE_PATH
-            if mode == 'block' and action == 'block':
+            if mode == PolicyMode.BLOCK and action == PolicyMode.BLOCK:
                 outcome = AIHookOutcome.BLOCKED
                 user_message = f'Cycode blocked sending {file_path} to the AI (sensitive path policy).'
                 return response_builder.deny_permission(
@@ -136,7 +138,7 @@ def handle_before_read_file(ctx: typer.Context, payload: AIHookPayload, policy:
             violation_summary, scan_id = _scan_path_for_secrets(ctx, file_path, policy)
             if violation_summary:
                 block_reason = BlockReason.SECRETS_IN_FILE
-                if mode == 'block' and action == 'block':
+                if mode == PolicyMode.BLOCK and action == PolicyMode.BLOCK:
                     outcome = AIHookOutcome.BLOCKED
                     user_message = f'Cycode blocked reading {file_path}. {violation_summary}'
                     return response_builder.deny_permission(
@@ -189,14 +191,14 @@ def handle_before_mcp_execution(ctx: typer.Context, payload: AIHookPayload, poli
         ai_client.create_event(payload, AiHookEventType.MCP_EXECUTION, AIHookOutcome.ALLOWED)
         return response_builder.allow_permission()
 
-    mode = get_policy_value(policy, 'mode', default='block')
+    mode = get_policy_value(policy, 'mode', default=PolicyMode.BLOCK)
     tool = payload.mcp_tool_name or 'unknown'
     args = payload.mcp_arguments or {}
     args_text = args if isinstance(args, str) else json.dumps(args)
     max_bytes = get_policy_value(policy, 'secrets', 'max_bytes', default=200000)
     timeout_ms = get_policy_value(policy, 'secrets', 'timeout_ms', default=30000)
     clipped = truncate_utf8(args_text, max_bytes)
-    action = get_policy_value(mcp_config, 'action', default='block')
+    action = get_policy_value(mcp_config, 'action', default=PolicyMode.BLOCK)
 
     scan_id = None
     block_reason = None
@@ -208,7 +210,7 @@ def handle_before_mcp_execution(ctx: typer.Context, payload: AIHookPayload, poli
             violation_summary, scan_id = _scan_text_for_secrets(ctx, clipped, timeout_ms)
             if violation_summary:
                 block_reason = BlockReason.SECRETS_IN_MCP_ARGS
-                if mode == 'block' and action == 'block':
+                if mode == PolicyMode.BLOCK and action == PolicyMode.BLOCK:
                     outcome = AIHookOutcome.BLOCKED
                     user_message = f'Cycode blocked MCP tool call "{tool}". {violation_summary}'
                     return response_builder.deny_permission(

cycode/cli/apps/ai_guardrails/scan/payload.py

@@ -6,6 +6,7 @@
 from pathlib import Path
 from typing import Optional
 
+from cycode.cli.apps.ai_guardrails.consts import AIIDEType
 from cycode.cli.apps.ai_guardrails.scan.types import (
     CLAUDE_CODE_EVENT_MAPPING,
     CLAUDE_CODE_EVENT_NAMES,
@@ -47,7 +48,7 @@ def _reverse_readline(path: Path, buf_size: int = 8192) -> Iterator[str]:
                     if newline_pos == -1:
                         break
                 # Yield the line after this newline
-                line = buffer[newline_pos + 1 :]
+                line = buffer[newline_pos + 1:]
                 buffer = buffer[: newline_pos + 1]
                 if line.strip():
                     yield line.decode('utf-8', errors='replace')
@@ -57,8 +58,20 @@ def _reverse_readline(path: Path, buf_size: int = 8192) -> Iterator[str]:
             yield buffer.decode('utf-8', errors='replace')
 
 
-def _extract_from_claude_transcript(  # noqa: C901
-    transcript_path: str,
+def _extract_model(entry: dict) -> Optional[str]:
+    """Extract model from a transcript entry (top level or nested in message)."""
+    return entry.get('model') or (entry.get('message') or {}).get('model')
+
+
+def _extract_generation_id(entry: dict) -> Optional[str]:
+    """Extract generation ID from a user-type transcript entry."""
+    if entry.get('type') == 'user':
+        return entry.get('uuid')
+    return None
+
+
+def _extract_from_claude_transcript(
+        transcript_path: str,
 ) -> tuple[Optional[str], Optional[str], Optional[str]]:
     """Extract IDE version, model, and latest generation ID from Claude Code transcript file.
 
@@ -90,16 +103,11 @@ def _extract_from_claude_transcript(  # noqa: C901
                 continue
             try:
                 entry = json.loads(line)
-                if ide_version is None and 'version' in entry:
-                    ide_version = entry['version']
-                # Model can be at top level or nested in message.model
-                if model is None:
-                    model = entry.get('model') or (entry.get('message') or {}).get('model')
-                # Get the latest user message UUID as generation_id
-                if generation_id is None and entry.get('type') == 'user' and entry.get('uuid'):
-                    generation_id = entry['uuid']
-                # Stop early if we found all values
-                if ide_version is not None and model is not None and generation_id is not None:
+                ide_version = ide_version or entry.get('version')
+                model = model or _extract_model(entry)
+                generation_id = generation_id or _extract_generation_id(entry)
+
+                if ide_version and model and generation_id:
                     break
             except json.JSONDecodeError:
                 continue
@@ -121,7 +129,7 @@ class AIHookPayload:
     # User and IDE information
     ide_user_email: Optional[str] = None
     model: Optional[str] = None
-    ide_provider: str = None  # e.g., 'cursor', 'claude-code'
+    ide_provider: str = None  # AIIDEType value (e.g., 'cursor', 'claude-code')
     ide_version: Optional[str] = None
 
     # Event-specific data
@@ -147,7 +155,7 @@ def from_cursor_payload(cls, payload: dict) -> 'AIHookPayload':
             generation_id=payload.get('generation_id'),
             ide_user_email=payload.get('user_email'),
             model=payload.get('model'),
-            ide_provider='cursor',
+            ide_provider=AIIDEType.CURSOR,
             ide_version=payload.get('cursor_version'),
             prompt=payload.get('prompt', ''),
             file_path=payload.get('file_path') or payload.get('path'),
@@ -205,7 +213,7 @@ def from_claude_code_payload(cls, payload: dict) -> 'AIHookPayload':
             generation_id=generation_id,
             ide_user_email=None,  # Claude Code doesn't provide this in hook payload
             model=model,
-            ide_provider='claude-code',
+            ide_provider=AIIDEType.CLAUDE_CODE,
             ide_version=ide_version,
             prompt=payload.get('prompt', ''),
             file_path=file_path,
@@ -224,37 +232,37 @@ def is_payload_for_ide(payload: dict, ide: str) -> bool:
 
         Args:
             payload: The raw payload from the IDE
-            ide: The IDE name (e.g., 'cursor', 'claude-code')
+            ide: The IDE name or AIIDEType enum value
 
         Returns:
             True if the payload matches the IDE, False otherwise.
         """
         hook_event_name = payload.get('hook_event_name', '')
 
-        if ide == 'claude-code':
+        if ide == AIIDEType.CLAUDE_CODE:
             return hook_event_name in CLAUDE_CODE_EVENT_NAMES
-        if ide == 'cursor':
+        if ide == AIIDEType.CURSOR:
             return hook_event_name in CURSOR_EVENT_NAMES
 
         # Unknown IDE, allow processing
         return True
 
     @classmethod
-    def from_payload(cls, payload: dict, tool: str = 'cursor') -> 'AIHookPayload':
+    def from_payload(cls, payload: dict, tool: str = AIIDEType.CURSOR) -> 'AIHookPayload':
         """Create AIHookPayload from any tool's payload.
 
         Args:
             payload: The raw payload from the IDE
-            tool: The IDE/tool name (e.g., 'cursor', 'claude-code')
+            tool: The IDE/tool name or AIIDEType enum value
 
         Returns:
             AIHookPayload instance
 
         Raises:
             ValueError: If the tool is not supported
         """
-        if tool == 'cursor':
+        if tool == AIIDEType.CURSOR:
             return cls.from_cursor_payload(payload)
-        if tool == 'claude-code':
+        if tool == AIIDEType.CLAUDE_CODE:
             return cls.from_claude_code_payload(payload)
         raise ValueError(f'Unsupported IDE/tool: {tool}')

cycode/cli/apps/ai_guardrails/scan/response_builders.py

@@ -7,6 +7,8 @@
 
 from abc import ABC, abstractmethod
 
+from cycode.cli.apps.ai_guardrails.consts import AIIDEType
+
 
 class IDEResponseBuilder(ABC):
     """Abstract base class for IDE-specific response builders."""
@@ -108,26 +110,29 @@ def deny_prompt(self, user_message: str) -> dict:
         return {'decision': 'block', 'reason': user_message}
 
 
-# Registry of response builders by IDE name
+# Registry of response builders by IDE type
 _RESPONSE_BUILDERS: dict[str, IDEResponseBuilder] = {
-    'cursor': CursorResponseBuilder(),
-    'claude-code': ClaudeCodeResponseBuilder(),
+    AIIDEType.CURSOR: CursorResponseBuilder(),
+    AIIDEType.CLAUDE_CODE: ClaudeCodeResponseBuilder(),
 }
 
 
-def get_response_builder(ide: str = 'cursor') -> IDEResponseBuilder:
+def get_response_builder(ide: str = AIIDEType.CURSOR) -> IDEResponseBuilder:
     """Get the response builder for a specific IDE.
 
     Args:
-        ide: The IDE name (e.g., 'cursor', 'claude-code')
+        ide: The IDE name (e.g., 'cursor', 'claude-code') or AIIDEType enum
 
     Returns:
         IDEResponseBuilder instance for the specified IDE
 
     Raises:
         ValueError: If the IDE is not supported
     """
-    builder = _RESPONSE_BUILDERS.get(ide.lower())
+    # Normalize to AIIDEType if string passed
+    if isinstance(ide, str):
+        ide = ide.lower()
+    builder = _RESPONSE_BUILDERS.get(ide)
     if not builder:
         raise ValueError(f'Unsupported IDE: {ide}. Supported IDEs: {list(_RESPONSE_BUILDERS.keys())}')
     return builder

cycode/cli/apps/ai_guardrails/scan/scan_command.py

@@ -16,6 +16,7 @@
 import click
 import typer
 
+from cycode.cli.apps.ai_guardrails.consts import AIIDEType
 from cycode.cli.apps.ai_guardrails.scan.handlers import get_handler_for_event
 from cycode.cli.apps.ai_guardrails.scan.payload import AIHookPayload
 from cycode.cli.apps.ai_guardrails.scan.policy import load_policy
@@ -69,7 +70,7 @@ def scan_command(
             help='IDE that sent the payload (e.g., "cursor"). Defaults to cursor.',
             hidden=True,
         ),
-    ] = 'cursor',
+    ] = AIIDEType.CURSOR,
 ) -> None:
     """Scan content from AI IDE hooks for secrets.
 

cycode/cli/apps/ai_guardrails/status_command.py

@@ -29,7 +29,7 @@ def status_command(
             '--ide',
             help='IDE to check status for (e.g., "cursor", "claude-code", or "all" for all IDEs). Defaults to cursor.',
         ),
-    ] = 'cursor',
+    ] = AIIDEType.CURSOR,
     repo_path: Annotated[
         Optional[Path],
         typer.Option(

cycode/cli/apps/ai_guardrails/uninstall_command.py

@@ -32,7 +32,7 @@ def uninstall_command(
             '--ide',
             help='IDE to uninstall hooks from (e.g., "cursor", "claude-code", "all"). Defaults to cursor.',
         ),
-    ] = 'cursor',
+    ] = AIIDEType.CURSOR,
     repo_path: Annotated[
         Optional[Path],
         typer.Option(