fix: use Cursor app auth as fallback

[Jackie-Qin]

Summary

• Add Cursor.app local auth as the final fallback after manual, cached, browser, and stored cookie sources are absent or rejected as unauthenticated.
• Read and validate Cursor's local access token, derive its first-party web session cookie, and reuse the existing usage-summary, account, and legacy request-quota flow.
• Preserve account boundaries: selected-session transient failures remain authoritative and never silently switch to Cursor.app's account.
• Reject malformed, expired, and near-expiry app tokens before network access; disable app auth during browser login verification.

Test Plan

• swift test --filter CursorStatusProbeTests - 38 tests passed
• swift test --filter CursorLoginRunnerTests - 3 tests passed
• make check - SwiftFormat clean, SwiftLint 0 violations
• Branch autoreview - no accepted/actionable findings; patch correct
• Original eight-commit series preserved by git range-diff; three focused maintainer safety commits added

Exact-Head Live Validation

Validated commit aa4a25bae45a66a280c38aa2a3b77bde61a93a62 using the real local Cursor.app session and production Cursor endpoints. The temporary probe printed only redacted booleans and aggregate usage values; no token, account identifier, name, or email was exposed.

CURSOR_APP_AUTH_LIVE_OK plan_percent=0.0 plan_limit_usd=20.0 has_account=true has_reset=true membership_present=true request_quota_present=false

This proves successful app-token loading, first-party web-session derivation, authenticated usage retrieval, account metadata retrieval, and billing-cycle parsing on the exact pushed head. The account is not a legacy request-quota plan, so the request-quota field is correctly absent; that path is covered by focused regression tests.

[clawsweeper]

Codex review: needs real behavior proof before merge. Reviewed June 12, 2026, 7:43 AM ET / 11:43 UTC.

Summary
Review failed before ClawSweeper could summarize the requested change.

Reproducibility: unclear. The review failed before ClawSweeper could establish a reproduction path.

Review metrics: none identified.

Merge readiness
Overall: 🌊 off-meta tidepool
Proof: 🌊 off-meta tidepool
Patch quality: 🌊 off-meta tidepool
Result: rating does not apply to this item.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Risk before merge

• [P1] No close action taken because the review did not complete.

Maintainer options:

1. Decide the mitigation before merge
   Retry the Codex review after fixing the execution failure.
2. Pause or close
   Do not merge this PR until maintainers decide whether the risk is worth taking.

Next step before merge

• [P1] Review did not complete, so no work-lane recommendation was made.

Review details

Best possible solution:

Retry the Codex review after fixing the execution failure.

Do we have a high-confidence way to reproduce the issue?

Unclear. The review failed before ClawSweeper could establish a reproduction path.

Is this the best way to solve the issue?

Unclear. Retry the review first so ClawSweeper can evaluate the actual issue and fix direction.

AGENTS.md: unclear because the file could not be read completely.

Codex review notes: model internal, reasoning high; reviewed against 2cd2fe15a56a.

Label changes

Label changes:

• add rating: 🌊 off-meta tidepool: Overall readiness is 🌊 off-meta tidepool; proof is 🌊 off-meta tidepool and patch quality is 🌊 off-meta tidepool.
• remove rating: 🧂 unranked krab: Current PR rating is rating: 🌊 off-meta tidepool, so this older rating label is no longer current.
• remove status: 📣 needs proof: Current PR status no longer selects a status label.
• remove P2: Current review triage priority is none.
• remove merge-risk: 🚨 compatibility: Current PR review selected no merge-risk labels.
• remove merge-risk: 🚨 auth-provider: Current PR review selected no merge-risk labels.

Label justifications:

• rating: 🌊 off-meta tidepool: Overall readiness is 🌊 off-meta tidepool; proof is 🌊 off-meta tidepool and patch quality is 🌊 off-meta tidepool.

Evidence reviewed

What I checked:

• failure reason: retryable codex transport failure (capacity)
• codex failure detail: Codex review failed for this PR with exit 1.
• codex stderr: ",.
• codex stdout: No stdout captured.

Likely related people:

• unknown: Codex failed before it could trace repository history. (role: review did not complete; confidence: low)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 69bf8e7407

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[Jackie-Qin]

Thanks for the automated review — both points were valid and are addressed in 1b1416b3.

Changes:

• Added Connect-Protocol-Version: 1 to Cursor DashboardService requests.
• Treat a Dashboard response without planUsage as a parse failure instead of returning a successful zero-usage snapshot, allowing the normal fallback path to continue.
• Added regression coverage for the header and missing-planUsage case.

Validation:

• swift test --filter CursorStatusProbeTests
• make check
• swift test

[Jackie-Qin]

@clawsweeper re-review

Addressed the code findings:

• 1b1416b3: adds Connect-Protocol-Version: 1 and rejects Dashboard responses without planUsage instead of returning a zero snapshot.
• 148048d3: moves Cursor.app auth behind the existing manual/cached/browser/stored cookie sources, adds precedence coverage, and documents the local-auth fallback.

Validation is in the PR body. Live provider proof is still not run here because AGENTS.md requires an explicit request before real credential/provider probes.

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

[Jackie-Qin]

@clawsweeper re-review

Please review current head 148048d3d9887e94279653e80a58450246867a7c. The previous re-review appears to have used stale head 1b1416b3 and repeated the precedence finding that 148048d3 fixes.

[clawsweeper]

🦞👀
ClawSweeper picked this up.

Command router queued. I will update this comment with the next step.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26933186432
• Updated: 2026-06-04T05:46:28.523Z

[Jackie-Qin]

@clawsweeper re-review

Added redacted live Cursor.app local-auth proof to the PR body for current head 148048d3d9887e94279653e80a58450246867a7c.

Proof summary:

• CursorAppAuthStore().loadSession() read Cursor.app state.vscdb.
• CursorStatusProbe.fetchWithAppAuthSession(_:) fetched DashboardService usage/account data.
• GetCurrentPeriodUsage parsed planUsage successfully.
• Bearer token was not printed; account was redacted.

[clawsweeper]

🦞👀
ClawSweeper picked this up.

Command router queued. I will update this comment with the next step.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26933962009
• Updated: 2026-06-04T06:08:46.829Z

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 15b6cb217a

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[steipete]

Rebased current head onto main and addressed the final auth-safety review finding.

• Cursor.app JWT fallback now requires a valid user subject and an access token with more than 60 seconds remaining.
• Expired, malformed, and opaque local tokens are skipped before any network request; no refresh-token exchange was added without a verified provider contract.
• swift test --filter CursorStatusProbeTests: 37 passed.
• make check: clean.
• Full branch autoreview: clean, 0.86 confidence.

Current head: 4e85caee. This remains intentionally unmerged: the existing exact-head live-auth blocker still applies, and the last real DashboardService request returned HTTP 401.