@cursorpool-dev/cli 0.5.6

package/node_modules/@cursor-pool/service/test/requestCheck.test.ts

@@ -0,0 +1,152 @@
+import assert from 'node:assert/strict';
+import test from 'node:test';
+import {
+  createRequestCheckStore,
+  sanitizeAgentRequestCheck,
+  type AgentRequestCheck,
+} from '../src/requestCheck';
+
+const allowedDecision = {
+  state: 'allowed' as const,
+  productId: 'prod_basic',
+  modeStartedAt: '2026-05-31T00:05:00.000Z',
+};
+
+test('sanitizeAgentRequestCheck keeps only safe metadata fields', () => {
+  const check = sanitizeAgentRequestCheck(
+    {
+      requestId: 'req-1',
+      requestType: 'other',
+      source: 'cursor-agent-exec',
+      model: 'gpt-4.1-mini',
+      prompt: 'discard this',
+      messages: [{ role: 'user', content: 'discard this too' }],
+      headers: { authorization: 'Bearer secret' },
+      cookie: 'secret',
+      authorization: 'Bearer secret',
+      apiKey: 'secret',
+      cursorAuthToken: 'secret',
+      providerSecret: 'secret',
+      body: { hidden: true },
+    },
+    {
+      runtimeId: 'runtime-1',
+      decision: allowedDecision,
+      now: () => '2026-05-31T00:10:00.000Z',
+      requestId: () => 'generated-request-id',
+    },
+  );
+
+  assert.deepEqual(check, {
+    requestId: 'req-1',
+    requestType: 'agent',
+    source: 'cursor-agent-exec',
+    model: 'gpt-4.1-mini',
+    receivedAt: '2026-05-31T00:10:00.000Z',
+    runtimeId: 'runtime-1',
+    decision: allowedDecision,
+    route: { state: 'missing' },
+  });
+  assert.equal(Object.hasOwn(check, 'prompt'), false);
+  assert.equal(Object.hasOwn(check, 'messages'), false);
+  assert.equal(Object.hasOwn(check, 'headers'), false);
+  assert.equal(Object.hasOwn(check, 'cookie'), false);
+  assert.equal(Object.hasOwn(check, 'authorization'), false);
+  assert.equal(Object.hasOwn(check, 'apiKey'), false);
+  assert.equal(Object.hasOwn(check, 'cursorAuthToken'), false);
+  assert.equal(Object.hasOwn(check, 'providerSecret'), false);
+  assert.equal(Object.hasOwn(check, 'body'), false);
+});
+
+test('sanitizeAgentRequestCheck normalizes unsafe request metadata', () => {
+  const check = sanitizeAgentRequestCheck(
+    {
+      requestId: '',
+      source: 'extension',
+      model: 'sk-live-secret-token',
+    },
+    {
+      runtimeId: 'runtime-1',
+      decision: { state: 'blocked', reason: 'logged-out' },
+      now: () => '2026-05-31T00:10:00.000Z',
+      requestId: () => 'generated-request-id',
+    },
+  );
+
+  assert.deepEqual(check, {
+    requestId: 'generated-request-id',
+    requestType: 'agent',
+    source: 'manual-check',
+    model: 'unknown',
+    receivedAt: '2026-05-31T00:10:00.000Z',
+    runtimeId: 'runtime-1',
+    decision: { state: 'blocked', reason: 'logged-out' },
+    route: { state: 'missing' },
+  });
+});
+
+test('sanitizeAgentRequestCheck keeps safe route state without route token', () => {
+  const check = sanitizeAgentRequestCheck(
+    {
+      requestId: 'req-route',
+      source: 'manual-check',
+      model: 'gpt-test',
+      routeToken: 'rt_secret_value',
+      token: 'discard this',
+    },
+    {
+      runtimeId: 'runtime-1',
+      decision: allowedDecision,
+      route: { state: 'ready', expiresAt: '2026-05-31T00:10:00.000Z' },
+      now: () => '2026-05-31T00:05:00.000Z',
+    },
+  );
+
+  assert.deepEqual(check.route, { state: 'ready', expiresAt: '2026-05-31T00:10:00.000Z' });
+  assert.equal(Object.hasOwn(check, 'routeToken'), false);
+  assert.equal(Object.hasOwn(check, 'token'), false);
+});
+
+test('sanitizeAgentRequestCheck accepts manual-check source and short safe model tokens', () => {
+  const check = sanitizeAgentRequestCheck(
+    {
+      requestId: 'req-2',
+      source: 'manual-check',
+      model: 'claude-3.7-sonnet_test',
+    },
+    {
+      runtimeId: 'runtime-1',
+      decision: { state: 'blocked', reason: 'mode-inactive' },
+      now: () => '2026-05-31T00:10:00.000Z',
+    },
+  );
+
+  assert.equal(check.requestId, 'req-2');
+  assert.equal(check.source, 'manual-check');
+  assert.equal(check.model, 'claude-3.7-sonnet_test');
+});
+
+test('createRequestCheckStore records and returns only the latest check', () => {
+  const first: AgentRequestCheck = {
+    requestId: 'req-1',
+    requestType: 'agent',
+    source: 'manual-check',
+    model: 'unknown',
+    receivedAt: '2026-05-31T00:10:00.000Z',
+    runtimeId: 'runtime-1',
+    decision: { state: 'blocked', reason: 'logged-out' },
+    route: { state: 'missing' },
+  };
+  const second: AgentRequestCheck = {
+    ...first,
+    requestId: 'req-2',
+    decision: allowedDecision,
+  };
+  const store = createRequestCheckStore();
+
+  assert.equal(store.latest(), null);
+  assert.deepEqual(store.record(first), first);
+  assert.deepEqual(store.latest(), first);
+  assert.deepEqual(store.record(second), second);
+  assert.deepEqual(store.latest(), second);
+});

package/node_modules/@cursor-pool/service/test/requestGate.test.ts

@@ -0,0 +1,207 @@
+import assert from 'node:assert/strict';
+import { mkdtemp, rm, writeFile } from 'node:fs/promises';
+import { tmpdir } from 'node:os';
+import { join } from 'node:path';
+import test from 'node:test';
+import { evaluateRequestGate, evaluateRouteState } from '../src/requestGate';
+import type { PlatformSession } from '../src/platformSession';
+
+const baseSession: PlatformSession = {
+  apiBaseUrl: 'http://127.0.0.1:9',
+  deviceToken: 'device-token',
+  createdAt: '2026-05-31T00:00:00.000Z',
+  user: { id: 'usr_1', email: 'dev@example.com' },
+  device: { id: 'dev_1', status: 'active', lastHeartbeatAt: '2026-05-31T00:00:00.000Z' },
+};
+
+async function withSessionFile(run: (sessionFile: string) => Promise<void>) {
+  const tempDir = await mkdtemp(join(tmpdir(), 'cursor-pool-request-gate-'));
+  const sessionFile = join(tempDir, 'session.json');
+
+  try {
+    await run(sessionFile);
+  } finally {
+    await rm(tempDir, { recursive: true, force: true });
+  }
+}
+
+async function writeSession(sessionFile: string, session: Record<string, unknown>) {
+  await writeFile(sessionFile, `${JSON.stringify(session, null, 2)}\n`);
+}
+
+test('evaluateRequestGate blocks logged-out requests when there is no session', async () => {
+  await withSessionFile(async (sessionFile) => {
+    assert.deepEqual(await evaluateRequestGate({ sessionFile }), {
+      state: 'blocked',
+      reason: 'logged-out',
+    });
+  });
+});
+
+test('evaluateRequestGate blocks invalid requests for corrupt JSON and incomplete sessions', async () => {
+  await withSessionFile(async (sessionFile) => {
+    await writeFile(sessionFile, '{not-json');
+
+    assert.deepEqual(await evaluateRequestGate({ sessionFile }), {
+      state: 'blocked',
+      reason: 'invalid-session',
+    });
+
+    await writeSession(sessionFile, { ...baseSession, deviceToken: undefined });
+
+    assert.deepEqual(await evaluateRequestGate({ sessionFile }), {
+      state: 'blocked',
+      reason: 'invalid-session',
+    });
+  });
+});
+
+test('evaluateRequestGate returns fresh invalid-session decisions', async () => {
+  await withSessionFile(async (sessionFile) => {
+    await writeFile(sessionFile, '{not-json');
+
+    const first = await evaluateRequestGate({ sessionFile });
+    (first as { reason: string }).reason = 'mode-inactive';
+
+    assert.deepEqual(await evaluateRequestGate({ sessionFile }), {
+      state: 'blocked',
+      reason: 'invalid-session',
+    });
+  });
+});
+
+test('evaluateRequestGate blocks requests when device is inactive', async () => {
+  await withSessionFile(async (sessionFile) => {
+    await writeSession(sessionFile, {
+      ...baseSession,
+      device: { ...baseSession.device, status: 'removed' },
+      platformMode: 'active',
+      activeProductId: 'prod_basic',
+      platformModeStartedAt: '2026-05-31T00:01:00.000Z',
+    });
+
+    assert.deepEqual(await evaluateRequestGate({ sessionFile }), {
+      state: 'blocked',
+      reason: 'device-inactive',
+    });
+  });
+});
+
+test('evaluateRequestGate blocks requests when mode is inactive', async () => {
+  await withSessionFile(async (sessionFile) => {
+    await writeSession(sessionFile, {
+      ...baseSession,
+      platformMode: 'inactive',
+    });
+
+    assert.deepEqual(await evaluateRequestGate({ sessionFile }), {
+      state: 'blocked',
+      reason: 'mode-inactive',
+    });
+  });
+});
+
+test('evaluateRequestGate includes release fields when inactive mode has release metadata', async () => {
+  await withSessionFile(async (sessionFile) => {
+    await writeSession(sessionFile, {
+      ...baseSession,
+      platformMode: 'inactive',
+      lastModeReleaseReason: 'insufficient-credits',
+      lastModeReleasedAt: '2026-05-31T00:02:00.000Z',
+    });
+
+    assert.deepEqual(await evaluateRequestGate({ sessionFile }), {
+      state: 'blocked',
+      reason: 'mode-released',
+      releaseReason: 'insufficient-credits',
+      releasedAt: '2026-05-31T00:02:00.000Z',
+    });
+  });
+});
+
+test('evaluateRequestGate allows active mode requests with product and start metadata', async () => {
+  await withSessionFile(async (sessionFile) => {
+    await writeSession(sessionFile, {
+      ...baseSession,
+      platformMode: 'active',
+      activeProductId: 'prod_basic',
+      platformModeStartedAt: '2026-05-31T00:01:00.000Z',
+    });
+
+    assert.deepEqual(await evaluateRequestGate({ sessionFile }), {
+      state: 'allowed',
+      productId: 'prod_basic',
+      modeStartedAt: '2026-05-31T00:01:00.000Z',
+    });
+  });
+});
+
+test('evaluateRequestGate blocks active mode requests with empty string active fields', async () => {
+  await withSessionFile(async (sessionFile) => {
+    await writeSession(sessionFile, {
+      ...baseSession,
+      platformMode: 'active',
+      activeProductId: '',
+      platformModeStartedAt: '',
+    });
+
+    assert.deepEqual(await evaluateRequestGate({ sessionFile }), {
+      state: 'blocked',
+      reason: 'mode-inactive',
+    });
+  });
+});
+
+test('evaluateRouteState reports ready route without exposing token', async () => {
+  await withSessionFile(async (sessionFile) => {
+    await writeSession(sessionFile, {
+      ...baseSession,
+      platformMode: 'active',
+      activeProductId: 'prod_basic',
+      platformModeStartedAt: '2026-05-31T00:05:00.000Z',
+      routeToken: {
+        token: 'rt_secret_value',
+        expiresAt: '2026-05-31T00:10:00.000Z',
+      },
+    });
+
+    assert.deepEqual(
+      await evaluateRouteState({
+        sessionFile,
+        now: () => '2026-05-31T00:06:00.000Z',
+      }),
+      { state: 'ready', expiresAt: '2026-05-31T00:10:00.000Z' },
+    );
+  });
+});
+
+test('evaluateRouteState reports missing and expired route states', async () => {
+  await withSessionFile(async (sessionFile) => {
+    const expiredSessionFile = join(sessionFile, '../expired-route.json');
+    await writeSession(sessionFile, {
+      ...baseSession,
+      platformMode: 'active',
+      activeProductId: 'prod_basic',
+      platformModeStartedAt: '2026-05-31T00:05:00.000Z',
+    });
+    await writeSession(expiredSessionFile, {
+      ...baseSession,
+      platformMode: 'active',
+      activeProductId: 'prod_basic',
+      platformModeStartedAt: '2026-05-31T00:05:00.000Z',
+      routeToken: {
+        token: 'rt_secret_value',
+        expiresAt: '2026-05-31T00:04:00.000Z',
+      },
+    });
+
+    assert.deepEqual(await evaluateRouteState({ sessionFile }), { state: 'missing' });
+    assert.deepEqual(
+      await evaluateRouteState({
+        sessionFile: expiredSessionFile,
+        now: () => '2026-05-31T00:06:00.000Z',
+      }),
+      { state: 'expired', expiresAt: '2026-05-31T00:04:00.000Z' },
+    );
+  });
+});