fix: use Cursor app auth as fallback

[Jackie-Qin]

Summary

• Add Cursor.app local-auth as a final fallback after the existing manual/cached/browser/stored cookie sources fail, preserving Cursor account-selection precedence.
• Use Cursor DashboardService endpoints with the local app auth token to fetch current-period usage and account info.
• Document the new Cursor.app local-auth fallback and DashboardService request headers.

Test Plan

• swift test --filter CursorStatusProbeTests — 31 tests passed
• make check
• swift test — 3241 tests passed

Live Proof

• Redacted live Cursor.app local-auth proof run against PR head 148048d3d9887e94279653e80a58450246867a7c on 2026-06-04.
• Method: temporary local Swift Testing probe (not committed) using CodexBarCore internals:
  • CursorAppAuthStore().loadSession() read Cursor.app state.vscdb.
  • CursorStatusProbe.fetchWithAppAuthSession(_:) fetched DashboardService usage/account data.
  • Browser-cookie import, stored WebKit session, and app Keychain cache paths were not used by this proof path.
• Token handling: bearer token was never printed; only redacted account and usage fields were emitted.

LIVE_CURSOR_APP_AUTH_PROOF
source: Cursor.app state.vscdb local bearer token (token redacted; not printed)
request: DashboardService/GetCurrentPeriodUsage via CodexBarCore CursorStatusProbe.fetchWithAppAuthSession
request_header: Connect-Protocol-Version=1 (set by CursorStatusProbe.fetchDashboard)
account_email: j***@gmail.com
account_name_present: true
membership_type: pro
plan_usage: 19.5% used / 80.5% left
auto_usage: 25.1% used / 74.9% left
api_usage: 0.7% used / 99.3% left
included_spend_usd: $38.01 / $20.00
billing_cycle_end: 2026-06-23T11:47:04Z
parsed_planUsage: true
token_printed: false
✔ Test "live Cursor app auth fetches DashboardService usage" passed after 0.184 seconds.
✔ Test run with 1 test in 1 suite passed after 0.185 seconds.

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed June 4, 2026, 2:08 AM ET / 06:08 UTC.

Summary
The PR adds Cursor.app local authentication as a final fallback for Cursor usage/account fetching, plus focused tests and Cursor provider documentation.

Reproducibility: not applicable. This PR adds a new Cursor auth fallback rather than reporting a reproducible current-main bug. The PR body provides redacted live output for the new path, and source inspection confirms current main lacks it.

Review metrics: 2 noteworthy metrics.

• Diff surface: 3 files, 545 additions, 2 deletions. The diff is focused but changes provider auth behavior, parser tests, and provider docs together.
• New auth source: 1 fallback source added. Adding Cursor.app bearer auth is the key merge decision that normal tests cannot settle.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🦞 diamond lobster
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• Get maintainer sign-off on using Cursor.app state.vscdb bearer auth as a last-resort Cursor provider source.

Risk before merge

• [P1] Existing users whose configured Cursor cookie/session sources fail may now receive usage for the locally signed-in Cursor.app account instead of a failure, so account-precedence acceptance is a maintainer decision.
• [P2] The fallback depends on Cursor.app local state keys and DashboardService response shape, so upstream Cursor changes could break this new path even though the current tests and live proof cover the intended behavior.

Maintainer options:

1. Accept Cursor.app as final fallback
   A maintainer can accept the compatibility risk and merge with the current ordering, where cookie/session sources remain ahead of Cursor.app local auth.
2. Require opt-in before fallback
   If silent fallback to the Cursor.app account is not acceptable, ask for a setting or explicit source selection before merge.
3. Pause until provider surface is owned
   If maintainers are not ready to own the reverse-engineered state.vscdb and DashboardService surface, pause or close this PR despite the working proof.

Next step before merge

• [P2] Manual maintainer review is needed because the remaining blocker is accepting the new auth source and account-precedence behavior, not a concrete automated code repair.

Security
Cleared: No concrete token logging, dependency, supply-chain, or permission regression was found; the sensitive behavior is the intended new Cursor local-token source.

Review details

Best possible solution:

Merge only after maintainer sign-off that Cursor.app local bearer auth is an acceptable last-resort Cursor source; otherwise require an explicit opt-in path before enabling it for existing users.

Do we have a high-confidence way to reproduce the issue?

Not applicable; this PR adds a new Cursor auth fallback rather than reporting a reproducible current-main bug. The PR body provides redacted live output for the new path, and source inspection confirms current main lacks it.

Is this the best way to solve the issue?

Unclear pending maintainer policy: if Cursor.app local bearer auth is acceptable, placing it after existing cookie/session sources is the narrowest maintainable implementation. If silent fallback to the app account is not acceptable, an explicit opt-in source is safer.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 65e39f4dcb3a.

Label changes

Label changes:

• add proof: sufficient: Contributor real behavior proof is sufficient. The PR body contains redacted live output from the current head showing the Cursor.app state.vscdb token path fetching DashboardService usage/account data with the bearer token withheld.
• add rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🦞 diamond lobster and patch quality is 🐚 platinum hermit.
• add status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (live_output): The PR body contains redacted live output from the current head showing the Cursor.app state.vscdb token path fetching DashboardService usage/account data with the bearer token withheld.
• remove rating: 🧂 unranked krab: Current PR rating is rating: 🐚 platinum hermit, so this older rating label is no longer current.
• remove status: 📣 needs proof: Current PR status label is status: 👀 ready for maintainer look.

Label justifications:

• P2: This is a normal-priority Cursor provider improvement with limited blast radius but auth-source implications.
• merge-risk: 🚨 compatibility: Users with failed cookie/session sources may now fall through to a different locally signed-in Cursor.app account instead of receiving the previous failure.
• merge-risk: 🚨 auth-provider: The PR adds a new local bearer-token source and DashboardService auth route for the Cursor provider.
• rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🦞 diamond lobster and patch quality is 🐚 platinum hermit.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (live_output): The PR body contains redacted live output from the current head showing the Cursor.app state.vscdb token path fetching DashboardService usage/account data with the bearer token withheld.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR body contains redacted live output from the current head showing the Cursor.app state.vscdb token path fetching DashboardService usage/account data with the bearer token withheld.

Evidence reviewed

What I checked:

• Repository policy read: AGENTS.md was read fully and applied to this provider/parser review, including the caution around real provider probes and credential paths. (AGENTS.md:1, 65e39f4dcb3a)
• Current main lacks the fallback: Current main tries manual/cached/browser/stored Cursor cookie sources and then throws the first recoverable error or noSessionCookie; it has no Cursor.app local-auth fallback. (Sources/CodexBarCore/Providers/Cursor/CursorStatusProbe.swift:692, 65e39f4dcb3a)
• PR adds last-resort local auth: The PR reads Cursor.app state.vscdb, fetches DashboardService usage/account data with bearer auth, and invokes that path only after the existing cookie/session sources fail. (Sources/CodexBarCore/Providers/Cursor/CursorStatusProbe.swift:961, 148048d3d988)
• Dashboard request header finding addressed: The DashboardService helper now sets Connect-Protocol-Version: 1 and bearer Authorization for POST requests. (Sources/CodexBarCore/Providers/Cursor/CursorStatusProbe.swift:1083, 148048d3d988)
• Missing planUsage finding addressed: The app-auth Dashboard parser now rejects responses without planUsage instead of returning a zero usage snapshot. (Sources/CodexBarCore/Providers/Cursor/CursorStatusProbe.swift:1258, 148048d3d988)
• Regression coverage added: The PR adds tests for Cursor.app fallback, stored-session precedence before app auth, request headers, and missing Dashboard planUsage behavior. (Tests/CodexBarTests/CursorStatusProbeTests.swift:999, 148048d3d988)

Likely related people:

• Peter Steinberger: Recent blame and shortlog show heavy ownership of the current Cursor fetch path, cookie/source behavior, and related provider cleanup. (role: recent area contributor; confidence: high; commits: 723734ef3422, be9f8d505f28, 087563249cad; files: Sources/CodexBarCore/Providers/Cursor/CursorStatusProbe.swift, Tests/CodexBarTests/CursorStatusProbeTests.swift, docs/cursor.md)
• Ratul Sarna: History shows multiple Cursor usage/fallback commits, including the dashboard-aligned usage support that this PR extends. (role: Cursor usage feature contributor; confidence: medium; commits: b334afa24a2c, 4a9948112449, 8f3a28881df5; files: Sources/CodexBarCore/Providers/Cursor/CursorStatusProbe.swift, Tests/CodexBarTests/CursorStatusProbeTests.swift)
• serezha93: Recent history added the shared provider HTTP transport used by CursorStatusProbe request paths touched by this PR. (role: adjacent provider transport contributor; confidence: medium; commits: f62bb8c8d564; files: Sources/CodexBarCore/Providers/Cursor/CursorStatusProbe.swift)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 69bf8e7407

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[Jackie-Qin]

Thanks for the automated review — both points were valid and are addressed in 1b1416b3.

Changes:

• Added Connect-Protocol-Version: 1 to Cursor DashboardService requests.
• Treat a Dashboard response without planUsage as a parse failure instead of returning a successful zero-usage snapshot, allowing the normal fallback path to continue.
• Added regression coverage for the header and missing-planUsage case.

Validation:

• swift test --filter CursorStatusProbeTests
• make check
• swift test

[Jackie-Qin]

@clawsweeper re-review

Addressed the code findings:

• 1b1416b3: adds Connect-Protocol-Version: 1 and rejects Dashboard responses without planUsage instead of returning a zero snapshot.
• 148048d3: moves Cursor.app auth behind the existing manual/cached/browser/stored cookie sources, adds precedence coverage, and documents the local-auth fallback.

Validation is in the PR body. Live provider proof is still not run here because AGENTS.md requires an explicit request before real credential/provider probes.

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

[Jackie-Qin]

@clawsweeper re-review

Please review current head 148048d3d9887e94279653e80a58450246867a7c. The previous re-review appears to have used stale head 1b1416b3 and repeated the precedence finding that 148048d3 fixes.

[clawsweeper]

🦞👀
ClawSweeper picked this up.

Command router queued. I will update this comment with the next step.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26933186432
• Updated: 2026-06-04T05:46:28.523Z

[Jackie-Qin]

@clawsweeper re-review

Added redacted live Cursor.app local-auth proof to the PR body for current head 148048d3d9887e94279653e80a58450246867a7c.

Proof summary:

• CursorAppAuthStore().loadSession() read Cursor.app state.vscdb.
• CursorStatusProbe.fetchWithAppAuthSession(_:) fetched DashboardService usage/account data.
• GetCurrentPeriodUsage parsed planUsage successfully.
• Bearer token was not printed; account was redacted.

[clawsweeper]

🦞👀
ClawSweeper picked this up.

Command router queued. I will update this comment with the next step.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26933962009
• Updated: 2026-06-04T06:08:46.829Z