CM-58022-lint

Author: Ilanlido

cycode/cli/apps/ai_guardrails/command_utils.py

@@ -32,7 +32,7 @@ def validate_and_parse_ide(ide: str) -> AIIDEType:
             f'[red]Error:[/] Invalid IDE "{ide}". Supported IDEs: {valid_ides}',
             style='bold red',
         )
-        raise typer.Exit(1)
+        raise typer.Exit(1) from None
 
 
 def validate_scope(scope: str, allowed_scopes: tuple[str, ...] = ('user', 'repo')) -> None:

cycode/cli/apps/ai_guardrails/consts.py

@@ -18,11 +18,13 @@
 
 class AIIDEType(str, Enum):
     """Supported AI IDE types."""
+
     CURSOR = 'cursor'
 
 
 class IDEConfig(NamedTuple):
     """Configuration for an AI IDE."""
+
     name: str
     hooks_dir: Path
     repo_hooks_subdir: str  # Subdirectory in repo for hooks (e.g., '.cursor')
@@ -34,10 +36,10 @@ def _get_cursor_hooks_dir() -> Path:
     """Get Cursor hooks directory based on platform."""
     if platform.system() == 'Darwin':
         return Path.home() / '.cursor'
-    elif platform.system() == 'Windows':
+    if platform.system() == 'Windows':
         return Path.home() / 'AppData' / 'Roaming' / 'Cursor'
-    else:  # Linux
-        return Path.home() / '.config' / 'Cursor'
+    # Linux
+    return Path.home() / '.config' / 'Cursor'
 
 
 # IDE-specific configurations

cycode/cli/apps/ai_guardrails/hooks_manager.py

@@ -10,11 +10,11 @@
 from typing import Optional
 
 from cycode.cli.apps.ai_guardrails.consts import (
-    AIIDEType,
     CYCODE_MARKER,
     CYCODE_SCAN_PROMPT_COMMAND,
     DEFAULT_IDE,
     IDE_CONFIGS,
+    AIIDEType,
     get_hooks_config,
 )
 from cycode.logger import get_logger
@@ -162,9 +162,7 @@ def uninstall_hooks(
     return False, f'Failed to update hooks file: {hooks_path}'
 
 
-def get_hooks_status(
-        scope: str = 'user', repo_path: Optional[Path] = None, ide: AIIDEType = DEFAULT_IDE
-) -> dict:
+def get_hooks_status(scope: str = 'user', repo_path: Optional[Path] = None, ide: AIIDEType = DEFAULT_IDE) -> dict:
     """
     Get the status of AI guardrails hooks.
 

cycode/cli/apps/scan/prompt/handlers.py

@@ -7,16 +7,17 @@
 
 import json
 import os
-from multiprocessing.pool import ThreadPool, TimeoutError as PoolTimeoutError
-from typing import Optional
+from multiprocessing.pool import ThreadPool
+from multiprocessing.pool import TimeoutError as PoolTimeoutError
+from typing import Callable, Optional
 
 import typer
 
 from cycode.cli.apps.scan.code_scanner import _get_scan_documents_thread_func
 from cycode.cli.apps.scan.prompt.payload import AIHookPayload
 from cycode.cli.apps.scan.prompt.policy import get_policy_value
 from cycode.cli.apps.scan.prompt.response_builders import get_response_builder
-from cycode.cli.apps.scan.prompt.types import AIHookOutcome, AiHookEventType, BlockReason
+from cycode.cli.apps.scan.prompt.types import AiHookEventType, AIHookOutcome, BlockReason
 from cycode.cli.apps.scan.prompt.utils import (
     is_denied_path,
     truncate_utf8,
@@ -60,8 +61,11 @@ def handle_before_submit_prompt(ctx: typer.Context, payload: AIHookPayload, poli
     try:
         violation_summary, scan_id = _scan_text_for_secrets(ctx, clipped, timeout_ms)
 
-        if violation_summary and get_policy_value(prompt_config, 'action',
-                                                  default='block') == 'block' and mode == 'block':
+        if (
+                violation_summary
+                and get_policy_value(prompt_config, 'action', default='block') == 'block'
+                and mode == 'block'
+        ):
             outcome = AIHookOutcome.BLOCKED
             block_reason = BlockReason.SECRETS_IN_PROMPT
             user_message = f'{violation_summary}. Remove secrets before sending.'
@@ -72,8 +76,9 @@ def handle_before_submit_prompt(ctx: typer.Context, payload: AIHookPayload, poli
             response = response_builder.allow_prompt()
         return response
     except Exception as e:
-        outcome = AIHookOutcome.ALLOWED if get_policy_value(policy, 'fail_open',
-                                                            default=True) else AIHookOutcome.BLOCKED
+        outcome = (
+            AIHookOutcome.ALLOWED if get_policy_value(policy, 'fail_open', default=True) else AIHookOutcome.BLOCKED
+        )
         block_reason = BlockReason.SCAN_FAILURE if outcome == AIHookOutcome.BLOCKED else None
         raise e
     finally:
@@ -133,15 +138,15 @@ def handle_before_read_file(ctx: typer.Context, payload: AIHookPayload, policy:
                     user_message,
                     'Secrets detected; do not send this file to the model.',
                 )
-            else:
-                if violation_summary:
-                    outcome = AIHookOutcome.WARNED
-                return response_builder.allow_permission()
+            if violation_summary:
+                outcome = AIHookOutcome.WARNED
+            return response_builder.allow_permission()
 
         return response_builder.allow_permission()
     except Exception as e:
-        outcome = AIHookOutcome.ALLOWED if get_policy_value(policy, 'fail_open',
-                                                            default=True) else AIHookOutcome.BLOCKED
+        outcome = (
+            AIHookOutcome.ALLOWED if get_policy_value(policy, 'fail_open', default=True) else AIHookOutcome.BLOCKED
+        )
         block_reason = BlockReason.SCAN_FAILURE if outcome == AIHookOutcome.BLOCKED else None
         raise e
     finally:
@@ -197,17 +202,17 @@ def handle_before_mcp_execution(ctx: typer.Context, payload: AIHookPayload, poli
                         user_message,
                         'Do not pass secrets to tools. Use secret references (name/id) instead.',
                     )
-                else:
-                    outcome = AIHookOutcome.WARNED
-                    return response_builder.ask_permission(
-                        f'{violation_summary} in MCP tool call "{tool}". Allow execution?',
-                        'Possible secrets detected in tool arguments; proceed with caution.',
-                    )
+                outcome = AIHookOutcome.WARNED
+                return response_builder.ask_permission(
+                    f'{violation_summary} in MCP tool call "{tool}". Allow execution?',
+                    'Possible secrets detected in tool arguments; proceed with caution.',
+                )
 
         return response_builder.allow_permission()
     except Exception as e:
-        outcome = AIHookOutcome.ALLOWED if get_policy_value(policy, 'fail_open',
-                                                            default=True) else AIHookOutcome.BLOCKED
+        outcome = (
+            AIHookOutcome.ALLOWED if get_policy_value(policy, 'fail_open', default=True) else AIHookOutcome.BLOCKED
+        )
         block_reason = BlockReason.SCAN_FAILURE if outcome == AIHookOutcome.BLOCKED else None
         raise e
     finally:
@@ -220,7 +225,7 @@ def handle_before_mcp_execution(ctx: typer.Context, payload: AIHookPayload, poli
         )
 
 
-def get_handler_for_event(event_type: str):
+def get_handler_for_event(event_type: str) -> Optional[Callable[[typer.Context, AIHookPayload, dict], dict]]:
     """Get the appropriate handler function for a canonical event type.
 
     Args:
@@ -274,8 +279,8 @@ def _perform_scan(
         try:
             scan_id, error, local_scan_result = result.get(timeout=timeout_seconds)
         except PoolTimeoutError:
-            logger.debug(f'Scan timed out after {timeout_seconds} seconds')
-            raise RuntimeError(f'Scan timed out after {timeout_seconds} seconds')
+            logger.debug('Scan timed out after %s seconds', timeout_seconds)
+            raise RuntimeError(f'Scan timed out after {timeout_seconds} seconds') from None
 
     # Check if scan failed - raise exception to trigger fail_open policy
     if error:
@@ -294,9 +299,7 @@ def _perform_scan(
     return None, scan_id
 
 
-def _scan_text_for_secrets(
-        ctx: typer.Context, text: str, timeout_ms: int
-) -> tuple[Optional[str], Optional[str]]:
+def _scan_text_for_secrets(ctx: typer.Context, text: str, timeout_ms: int) -> tuple[Optional[str], Optional[str]]:
     """
     Scan text content for secrets using Cycode CLI.
 
@@ -322,7 +325,7 @@ def _scan_path_for_secrets(ctx: typer.Context, file_path: str, policy: dict) ->
     if not file_path or not os.path.exists(file_path):
         return None, None
 
-    with open(file_path, 'r', encoding='utf-8', errors='replace') as f:
+    with open(file_path, encoding='utf-8', errors='replace') as f:
         content = f.read()
 
     # Truncate content based on policy max_bytes

cycode/cli/apps/scan/prompt/payload.py

@@ -67,5 +67,4 @@ def from_payload(cls, payload: dict, tool: str = 'cursor') -> 'AIHookPayload':
         """
         if tool == 'cursor':
             return cls.from_cursor_payload(payload)
-        else:
-            raise ValueError(f'Unsupported IDE/tool: {tool}.')
+        raise ValueError(f'Unsupported IDE/tool: {tool}.')

cycode/cli/apps/scan/prompt/prompt_command.py

@@ -105,9 +105,9 @@ def prompt_command(
             # Fail closed
             if event_name == AiHookEventType.PROMPT:
                 output_json(
-                    response_builder.deny_prompt('Cycode guardrails error - blocking due to fail-closed policy'))
+                    response_builder.deny_prompt('Cycode guardrails error - blocking due to fail-closed policy')
+                )
             else:
-                output_json(response_builder.deny_permission(
-                    'Cycode guardrails error',
-                    'Blocking due to fail-closed policy'
-                ))
+                output_json(
+                    response_builder.deny_permission('Cycode guardrails error', 'Blocking due to fail-closed policy')
+                )

cycode/cli/apps/scan/prompt/response_builders.py

@@ -14,27 +14,22 @@ class IDEResponseBuilder(ABC):
     @abstractmethod
     def allow_permission(self) -> dict:
         """Build response to allow file read or MCP execution."""
-        pass
 
     @abstractmethod
     def deny_permission(self, user_message: str, agent_message: str) -> dict:
         """Build response to deny file read or MCP execution."""
-        pass
 
     @abstractmethod
     def ask_permission(self, user_message: str, agent_message: str) -> dict:
         """Build response to ask user for permission (warn mode)."""
-        pass
 
     @abstractmethod
     def allow_prompt(self) -> dict:
         """Build response to allow prompt submission."""
-        pass
 
     @abstractmethod
     def deny_prompt(self, user_message: str) -> dict:
         """Build response to deny prompt submission."""
-        pass
 
 
 class CursorResponseBuilder(IDEResponseBuilder):

cycode/cli/apps/scan/prompt/utils.py

@@ -69,4 +69,4 @@ def is_denied_path(file_path: str, policy: dict) -> bool:
 
 def output_json(obj: dict) -> None:
     """Write JSON response to stdout (for IDE to read)."""
-    print(json.dumps(obj), end='')
+    print(json.dumps(obj), end='')  # noqa: T201

cycode/cyclient/ai_security_manager_client.py

@@ -7,7 +7,7 @@
 
 if TYPE_CHECKING:
     from cycode.cli.apps.scan.prompt.payload import AIHookPayload
-    from cycode.cli.apps.scan.prompt.types import AIHookOutcome, AiHookEventType, BlockReason
+    from cycode.cli.apps.scan.prompt.types import AiHookEventType, AIHookOutcome, BlockReason
     from cycode.cyclient.ai_security_manager_service_config import AISecurityManagerServiceConfigBase
 
 

pyproject.toml

@@ -141,7 +141,7 @@ inline-quotes = "single"
 ban-relative-imports = "all"
 
 [tool.ruff.lint.per-file-ignores]
-"tests/*.py" = ["S101", "S105"]
+"tests/**/*.py" = ["S101", "S105", "ANN"]
 "cycode/*.py" = ["BLE001"]
 
 [tool.ruff.format]