@cursorpool-dev/cli 0.5.6

package/node_modules/@cursor-pool/service/test/server.test.ts

@@ -0,0 +1,2570 @@
+import assert from 'node:assert/strict';
+import { createServer as createNodeServer, request as createHttpRequest, type IncomingMessage, type ServerResponse } from 'node:http';
+import { mkdtemp, readFile, rm, writeFile } from 'node:fs/promises';
+import { tmpdir } from 'node:os';
+import { join } from 'node:path';
+import test from 'node:test';
+import { startServer } from '../src/server';
+import { writeClientConfig } from '../../shared/src/clientConfig';
+
+async function requestJson(
+  port: number,
+  path: string,
+  options: { method?: string; body?: Record<string, unknown>; headers?: Record<string, string> } = {},
+) {
+  const response = await fetch(`http://127.0.0.1:${port}${path}`, {
+    method: options.method ?? 'GET',
+    headers: {
+      ...(options.body ? { 'content-type': 'application/json' } : {}),
+      ...options.headers,
+    },
+    body: options.body ? JSON.stringify(options.body) : undefined,
+  });
+
+  return {
+    status: response.status,
+    body: await response.json(),
+  };
+}
+
+async function requestRaw(
+  port: number,
+  path: string,
+  options: { method?: string; headers?: Record<string, string> } = {},
+) {
+  return fetch(`http://127.0.0.1:${port}${path}`, {
+    method: options.method ?? 'GET',
+    headers: options.headers,
+  });
+}
+
+async function requestText(
+  port: number,
+  path: string,
+  options: { method?: string; body?: Record<string, unknown>; headers?: Record<string, string> } = {},
+) {
+  const response = await fetch(`http://127.0.0.1:${port}${path}`, {
+    method: options.method ?? 'GET',
+    headers: {
+      ...(options.body ? { 'content-type': 'application/json' } : {}),
+      ...options.headers,
+    },
+    body: options.body ? JSON.stringify(options.body) : undefined,
+  });
+
+  return {
+    status: response.status,
+    text: await response.text(),
+  };
+}
+
+async function postJsonAndAbort(port: number, path: string, body: Record<string, unknown>, abortAfterMs = 20) {
+  await new Promise<void>((resolve) => {
+    const payload = JSON.stringify(body);
+    const request = createHttpRequest({
+      host: '127.0.0.1',
+      port,
+      path,
+      method: 'POST',
+      headers: {
+        'content-type': 'application/json',
+        'content-length': Buffer.byteLength(payload),
+      },
+    });
+    request.on('error', () => resolve());
+    request.write(payload);
+    request.end();
+    setTimeout(() => {
+      request.destroy();
+      resolve();
+    }, abortAfterMs);
+  });
+}
+
+async function waitFor(predicate: () => boolean, timeoutMs = 500) {
+  const started = Date.now();
+  while (!predicate()) {
+    if (Date.now() - started > timeoutMs) {
+      return false;
+    }
+    await new Promise((resolve) => setTimeout(resolve, 10));
+  }
+  return true;
+}
+
+function writeJson(response: ServerResponse, statusCode: number, body: Record<string, unknown>) {
+  const payload = JSON.stringify(body);
+  response.writeHead(statusCode, {
+    'content-type': 'application/json',
+    'content-length': Buffer.byteLength(payload),
+  });
+  response.end(payload);
+}
+
+async function createPlatformApiServer(handler: (request: IncomingMessage, response: ServerResponse) => void) {
+  const server = createNodeServer(handler);
+  await new Promise<void>((resolve) => {
+    server.listen(0, '127.0.0.1', resolve);
+  });
+  const address = server.address();
+  assert.equal(typeof address, 'object');
+
+  return {
+    apiBaseUrl: `http://127.0.0.1:${address?.port}`,
+    close: () => new Promise<void>((resolve, reject) => {
+      server.close((error) => (error ? reject(error) : resolve()));
+    }),
+  };
+}
+
+test('local service exposes health, metadata, extension status, and mode endpoints on loopback', async () => {
+  const tempDir = await mkdtemp(join(tmpdir(), 'cursor-pool-service-'));
+  const runtimeFile = join(tempDir, 'runtime.json');
+  const forwarded: Record<string, unknown>[] = [];
+  const service = await startServer({
+    runtimeFile,
+    platformSessionFile: join(tempDir, 'missing-platform-session.json'),
+    onMetadata(metadata) {
+      forwarded.push(metadata);
+    },
+  });
+
+  try {
+    const address = service.server.address();
+    assert.equal(typeof address, 'object');
+    assert.equal(address?.address, '127.0.0.1');
+    assert.equal(service.host, '127.0.0.1');
+
+    const health = await requestJson(service.port, '/health');
+    assert.equal(health.status, 200);
+    assert.equal(health.body.host, '127.0.0.1');
+    assert.equal(health.body.port, service.port);
+    assert.equal(health.body.runtimeId, service.runtimeId);
+    assert.equal(health.body.ok, true);
+
+    const metadata = await requestJson(service.port, '/cursor-metadata', {
+      method: 'POST',
+      body: {
+        requestId: 'req-1',
+        requestType: 'agent',
+        source: 'cursor-agent-exec',
+        prompt: 'secret prompt',
+        apiKey: 'secret-key',
+      },
+    });
+    assert.equal(metadata.status, 200);
+    assert.deepEqual(forwarded[0], {
+      requestId: 'req-1',
+      model: 'unknown',
+      requestType: 'agent',
+      source: 'cursor-agent-exec',
+    });
+    assert.deepEqual(metadata.body.metadata, forwarded[0]);
+
+    const extensionStatus = await requestJson(service.port, '/extension/status', {
+      method: 'POST',
+      body: { connected: true, cursorVersion: '1.0.0', token: 'discard-me' },
+    });
+    assert.equal(extensionStatus.status, 200);
+    assert.equal(extensionStatus.body.ok, true);
+    assert.deepEqual(extensionStatus.body.status, {
+      connected: true,
+      cursorVersion: '1.0.0',
+    });
+
+    const started = await requestJson(service.port, '/mode/start', { method: 'POST' });
+    assert.equal(started.status, 200);
+    assert.deepEqual(started.body, { state: 'logged-out' });
+
+    const stopped = await requestJson(service.port, '/mode/stop', { method: 'POST' });
+    assert.equal(stopped.status, 200);
+    assert.deepEqual(stopped.body, { state: 'inactive' });
+
+    const shutdown = await requestJson(service.port, '/shutdown', { method: 'POST' });
+    assert.equal(shutdown.status, 200);
+    assert.equal(shutdown.body.ok, true);
+
+    await assert.rejects(fetch(`http://127.0.0.1:${service.port}/health`), /fetch failed/);
+  } finally {
+    await service.stop();
+    await rm(tempDir, { recursive: true, force: true });
+  }
+});
+
+test('shutdown endpoint calls the process shutdown hook after closing the server', async () => {
+  const tempDir = await mkdtemp(join(tmpdir(), 'cursor-pool-service-shutdown-'));
+  const runtimeFile = join(tempDir, 'runtime.json');
+  let shutdownCalled = false;
+  const service = await startServer({
+    runtimeFile,
+    onShutdown() {
+      shutdownCalled = true;
+    },
+  });
+
+  try {
+    const shutdown = await requestJson(service.port, '/shutdown', { method: 'POST' });
+    assert.equal(shutdown.status, 200);
+    assert.equal(shutdown.body.ok, true);
+    assert.equal(await waitFor(() => shutdownCalled), true);
+  } finally {
+    await service.stop();
+    await rm(tempDir, { recursive: true, force: true });
+  }
+});
+
+test('local service exposes platform session routes on loopback', async () => {
+  const tempDir = await mkdtemp(join(tmpdir(), 'cursor-pool-service-platform-'));
+  const platformSessionFile = join(tempDir, 'platform-session.json');
+  const calls: Record<string, unknown>[] = [];
+  const platformApi = await createPlatformApiServer((request, response) => {
+    if (request.method === 'GET' && request.url === '/me') {
+      assert.equal(request.headers.authorization, 'Bearer cp_dev_secret');
+      writeJson(response, 200, {
+        user: { id: 'usr_1', email: 'dev@example.com' },
+        device: { id: 'dev_1', status: 'active', lastHeartbeatAt: '2026-05-30T00:00:30Z' },
+      });
+      return;
+    }
+
+    if (request.method === 'GET' && request.url === '/account/summary') {
+      assert.equal(request.headers.authorization, 'Bearer cp_dev_secret');
+      writeJson(response, 200, { credits: 1000 });
+      return;
+    }
+
+    if (request.method === 'GET' && request.url === '/products') {
+      assert.equal(request.headers.authorization, 'Bearer cp_dev_secret');
+      writeJson(response, 200, {
+        products: [
+          {
+            id: 'prod_basic',
+            name: '基础组',
+            description: '开发态基础商品，用于验证扩展展示。',
+            status: 'available',
+            minCredits: 100,
+            usageLabel: '按请求消耗，倍率 1x',
+          },
+        ],
+      });
+      return;
+    }
+
+    writeJson(response, 404, { ok: false });
+  });
+  const service = await startServer({
+    runtimeFile: join(tempDir, 'runtime.json'),
+    platformSessionFile,
+    platformApiBaseUrl: `${platformApi.apiBaseUrl}/`,
+    platformExchangePasswordDeviceToken(request) {
+      calls.push({ type: 'login', request });
+      return Promise.resolve({
+        deviceToken: 'cp_dev_secret',
+        user: { id: 'usr_1', email: 'dev@example.com' },
+        device: { id: 'dev_1', status: 'active', lastHeartbeatAt: '2026-05-30T00:00:00Z' },
+      });
+    },
+    platformPostHeartbeat(request) {
+      calls.push({ type: 'heartbeat', request });
+      return Promise.resolve({
+        ok: true,
+        device: { id: 'dev_1', status: 'active', lastHeartbeatAt: '2026-05-30T00:01:00Z' },
+      });
+    },
+    platformPostLogout(request) {
+      calls.push({ type: 'logout', request });
+      return Promise.resolve();
+    },
+    platformStartPoolSession(request) {
+      calls.push({ type: 'pool-start', request });
+      return Promise.resolve({
+        state: 'started',
+        session: {
+          id: 'pool_sess_1',
+          productId: request.productId,
+          providerType: 'mock-provider',
+          status: 'active',
+          startedAt: '2026-05-31T00:00:00.000Z',
+          expiresAt: '2026-05-31T01:00:00.000Z',
+          routeTokenExpiresAt: '2026-05-31T00:10:00.000Z',
+          routeStrategy: 'platform-gateway',
+          bannedModels: [],
+          capabilities: {
+            streaming: true,
+            usageEstimate: false,
+            hardSpendLimit: false,
+          },
+        },
+        routeToken: 'rt_secret_value',
+      });
+    },
+    platformStopPoolSession(request) {
+      calls.push({ type: 'pool-stop', request });
+      return Promise.resolve({ state: 'stopped', sessionId: request.poolSessionId });
+    },
+  });
+
+  try {
+    const initial = await requestJson(service.port, '/platform/status');
+    assert.equal(initial.status, 200);
+    assert.deepEqual(initial.body, { state: 'logged-out' });
+
+    const initialCatalog = await requestJson(service.port, '/platform/catalog');
+    assert.equal(initialCatalog.status, 200);
+    assert.deepEqual(initialCatalog.body, { state: 'logged-out', products: [] });
+
+    const login = await requestJson(service.port, '/platform/login', {
+      method: 'POST',
+      body: {
+        email: 'dev@example.com',
+        password: 'correct-password',
+        device: { name: 'Lin Mac', os: 'darwin', arch: 'arm64' },
+      },
+    });
+    assert.equal(login.status, 200);
+    assert.equal(login.body.state, 'logged-in');
+    assert.deepEqual(login.body.user, { id: 'usr_1', email: 'dev@example.com' });
+    assert.equal(login.body.device.lastHeartbeatAt, '2026-05-30T00:00:00Z');
+
+    assert.equal(calls[0]?.type, 'login');
+    assert.deepEqual((calls[0]?.request as Record<string, unknown>).device, {
+      name: 'Lin Mac',
+      os: 'darwin',
+      arch: 'arm64',
+    });
+    assert.equal((calls[0]?.request as Record<string, unknown>).email, 'dev@example.com');
+    assert.equal((calls[0]?.request as Record<string, unknown>).password, 'correct-password');
+    assert.equal((calls[0]?.request as Record<string, unknown>).apiBaseUrl, `${platformApi.apiBaseUrl}/`);
+
+    const saved = JSON.parse(await readFile(platformSessionFile, 'utf8')) as Record<string, unknown>;
+    assert.equal(saved.apiBaseUrl, platformApi.apiBaseUrl);
+    assert.equal(saved.deviceToken, 'cp_dev_secret');
+    assert.deepEqual(saved.user, { id: 'usr_1', email: 'dev@example.com' });
+
+    const loggedInStatus = await requestJson(service.port, '/platform/status');
+    assert.equal(loggedInStatus.status, 200);
+    assert.equal(loggedInStatus.body.state, 'logged-in');
+    assert.deepEqual(loggedInStatus.body.user, { id: 'usr_1', email: 'dev@example.com' });
+    assert.equal(loggedInStatus.body.device.lastHeartbeatAt, '2026-05-30T00:00:30Z');
+    assert.deepEqual(loggedInStatus.body.mode, { state: 'inactive' });
+
+    const loggedInCatalog = await requestJson(service.port, '/platform/catalog');
+    assert.equal(loggedInCatalog.status, 200);
+    assert.deepEqual(loggedInCatalog.body, {
+      state: 'logged-in',
+      account: { credits: 1000 },
+      mode: { state: 'inactive' },
+      products: [
+        {
+          id: 'prod_basic',
+          name: '基础组',
+          description: '开发态基础商品，用于验证扩展展示。',
+          status: 'available',
+          minCredits: 100,
+          usageLabel: '按请求消耗，倍率 1x',
+        },
+      ],
+    });
+
+    const selection = await requestJson(service.port, '/platform/selection', {
+      method: 'POST',
+      body: { productId: 'prod_basic' },
+    });
+    assert.equal(selection.status, 200);
+    assert.deepEqual(selection.body, {
+      state: 'selected',
+      selectedProductId: 'prod_basic',
+    });
+
+    const selectedCatalog = await requestJson(service.port, '/platform/catalog');
+    assert.equal(selectedCatalog.status, 200);
+    assert.equal(selectedCatalog.body.state, 'logged-in');
+    assert.equal(selectedCatalog.body.selectedProductId, 'prod_basic');
+    assert.deepEqual(selectedCatalog.body.mode, { state: 'inactive' });
+    assert.equal(calls.some((call) => call.type === 'pool-start'), false);
+
+    const modeStart = await requestJson(service.port, '/mode/start', { method: 'POST' });
+    assert.equal(modeStart.status, 200);
+    assert.equal(modeStart.body.state, 'active');
+    assert.equal(modeStart.body.productId, 'prod_basic');
+    assert.equal(calls[1]?.type, 'pool-start');
+    assert.equal(
+      ((calls[1]?.request as Record<string, unknown>).session as Record<string, unknown>).deviceToken,
+      'cp_dev_secret',
+    );
+    assert.equal((calls[1]?.request as Record<string, unknown>).productId, 'prod_basic');
+
+    const activeCatalog = await requestJson(service.port, '/platform/catalog');
+    assert.equal(activeCatalog.status, 200);
+    assert.equal(activeCatalog.body.mode.state, 'active');
+    assert.equal(activeCatalog.body.mode.productId, 'prod_basic');
+
+    const modeStop = await requestJson(service.port, '/mode/stop', { method: 'POST' });
+    assert.equal(modeStop.status, 200);
+    assert.deepEqual(modeStop.body, { state: 'inactive' });
+    assert.equal(calls[2]?.type, 'pool-stop');
+    assert.equal((calls[2]?.request as Record<string, unknown>).poolSessionId, 'pool_sess_1');
+    assert.equal((calls[2]?.request as Record<string, unknown>).reason, 'user-stop');
+
+    const invalidSelection = await requestJson(service.port, '/platform/selection', {
+      method: 'POST',
+      body: {},
+    });
+    assert.equal(invalidSelection.status, 400);
+    assert.deepEqual(invalidSelection.body, { ok: false, error: 'invalid request' });
+
+    const heartbeat = await requestJson(service.port, '/platform/heartbeat', {
+      method: 'POST',
+      body: { serviceStatus: 'running' },
+    });
+    assert.equal(heartbeat.status, 200);
+    assert.equal(heartbeat.body.state, 'logged-in');
+    assert.equal(heartbeat.body.device.lastHeartbeatAt, '2026-05-30T00:01:00Z');
+    assert.equal(calls[3]?.type, 'heartbeat');
+    assert.equal(
+      ((calls[3]?.request as Record<string, unknown>).session as Record<string, unknown>).deviceToken,
+      'cp_dev_secret',
+    );
+    assert.deepEqual((calls[3]?.request as Record<string, unknown>).payload, { serviceStatus: 'running' });
+
+    const logout = await requestJson(service.port, '/platform/logout', { method: 'POST' });
+    assert.equal(logout.status, 200);
+    assert.deepEqual(logout.body, { state: 'logged-out' });
+    assert.equal(calls[4]?.type, 'logout');
+
+    const finalStatus = await requestJson(service.port, '/platform/status');
+    assert.equal(finalStatus.status, 200);
+    assert.deepEqual(finalStatus.body, { state: 'logged-out' });
+
+    const finalCatalog = await requestJson(service.port, '/platform/catalog');
+    assert.equal(finalCatalog.status, 200);
+    assert.deepEqual(finalCatalog.body, { state: 'logged-out', products: [] });
+  } finally {
+    await service.stop();
+    await platformApi.close();
+    await rm(tempDir, { recursive: true, force: true });
+  }
+});
+
+test('local service logs in with account password without accepting API URL from client body', async () => {
+  const tempDir = await mkdtemp(join(tmpdir(), 'cursor-pool-service-password-'));
+  const platformSessionFile = join(tempDir, 'platform-session.json');
+  const calls: Record<string, unknown>[] = [];
+  const service = await startServer({
+    runtimeFile: join(tempDir, 'runtime.json'),
+    platformSessionFile,
+    platformApiBaseUrl: 'https://platform.example.test/',
+    platformExchangePasswordDeviceToken(request) {
+      calls.push(request);
+      return Promise.resolve({
+        deviceToken: 'cp_dev_secret',
+        user: { id: 'usr_1', email: 'dev@example.com' },
+        device: { id: 'dev_1', status: 'active', lastHeartbeatAt: '2026-05-30T00:00:00Z' },
+      });
+    },
+  });
+
+  try {
+    const login = await requestJson(service.port, '/platform/login', {
+      method: 'POST',
+      body: {
+        email: 'dev@example.com',
+        password: 'correct-password',
+        apiBaseUrl: 'https://attacker.example.test',
+        code: 'SHOULD-NOT-BE-USED',
+        device: { name: 'Lin Mac', os: 'darwin', arch: 'arm64' },
+      },
+    });
+
+    assert.equal(login.status, 200);
+    assert.equal(login.body.state, 'logged-in');
+    assert.deepEqual(calls[0], {
+      email: 'dev@example.com',
+      password: 'correct-password',
+      apiBaseUrl: 'https://platform.example.test/',
+      device: { name: 'Lin Mac', os: 'darwin', arch: 'arm64' },
+    });
+
+    const saved = JSON.parse(await readFile(platformSessionFile, 'utf8')) as Record<string, unknown>;
+    assert.equal(saved.apiBaseUrl, 'https://platform.example.test');
+    assert.equal(saved.deviceToken, 'cp_dev_secret');
+  } finally {
+    await service.stop();
+    await rm(tempDir, { recursive: true, force: true });
+  }
+});
+
+test('local service logs in with persisted client API URL when env is absent', async () => {
+  const tempDir = await mkdtemp(join(tmpdir(), 'cursor-pool-service-password-config-'));
+  const platformSessionFile = join(tempDir, 'platform-session.json');
+  const clientConfigFile = join(tempDir, 'client-config.json');
+  const calls: Record<string, unknown>[] = [];
+  const platformApi = await createPlatformApiServer((request, response) => {
+    if (request.method === 'GET' && request.url === '/me') {
+      writeJson(response, 200, {
+        user: { id: 'usr_1', email: 'dev@example.com' },
+        device: { id: 'dev_1', status: 'active', lastHeartbeatAt: '2026-05-30T00:00:00Z' },
+      });
+      return;
+    }
+    writeJson(response, 404, { ok: false });
+  });
+  await writeClientConfig({ apiBaseUrl: `${platformApi.apiBaseUrl}/` }, { configFile: clientConfigFile });
+  const service = await startServer({
+    runtimeFile: join(tempDir, 'runtime.json'),
+    platformSessionFile,
+    clientConfigFile,
+    platformExchangePasswordDeviceToken(request) {
+      calls.push(request);
+      return Promise.resolve({
+        deviceToken: 'cp_dev_secret',
+        user: { id: 'usr_1', email: 'dev@example.com' },
+        device: { id: 'dev_1', status: 'active', lastHeartbeatAt: '2026-05-30T00:00:00Z' },
+      });
+    },
+  });
+
+  try {
+    const login = await requestJson(service.port, '/platform/login', {
+      method: 'POST',
+      body: {
+        email: 'dev@example.com',
+        password: 'correct-password',
+        device: { name: 'Lin Mac', os: 'darwin', arch: 'arm64' },
+      },
+    });
+
+    assert.equal(login.status, 200);
+    assert.equal(login.body.state, 'logged-in');
+    assert.equal(calls[0]?.apiBaseUrl, platformApi.apiBaseUrl);
+  } finally {
+    await service.stop();
+    await platformApi.close();
+    await rm(tempDir, { recursive: true, force: true });
+  }
+});
+
+test('local service reports platform password login error code', async () => {
+  const tempDir = await mkdtemp(join(tmpdir(), 'cursor-pool-service-password-error-'));
+  const service = await startServer({
+    runtimeFile: join(tempDir, 'runtime.json'),
+    platformSessionFile: join(tempDir, 'platform-session.json'),
+    platformApiBaseUrl: 'https://platform.example.test/',
+    platformExchangePasswordDeviceToken() {
+      const error = new Error('Request failed with status 401') as Error & {
+        status?: number;
+        platformCode?: string;
+      };
+      error.status = 401;
+      error.platformCode = 'PASSWORD_LOGIN_INVALID';
+      throw error;
+    },
+  });
+
+  try {
+    const login = await requestJson(service.port, '/platform/login', {
+      method: 'POST',
+      body: {
+        email: 'dev@example.com',
+        password: 'wrong-password',
+      },
+    });
+
+    assert.equal(login.status, 400);
+    assert.equal(login.body.error, 'platform login failed');
+    assert.equal(login.body.code, 'PASSWORD_LOGIN_INVALID');
+  } finally {
+    await service.stop();
+    await rm(tempDir, { recursive: true, force: true });
+  }
+});
+
+test('local service takeover rejects when platform mode is inactive', async () => {
+  const tempDir = await mkdtemp(join(tmpdir(), 'cursor-pool-service-takeover-inactive-'));
+  const service = await startServer({
+    runtimeFile: join(tempDir, 'runtime.json'),
+    platformSessionFile: join(tempDir, 'missing-session.json'),
+  });
+
+  try {
+    const initial = await requestJson(service.port, '/agent/takeover/latest');
+    assert.equal(initial.status, 200);
+    assert.deepEqual(initial.body, { ok: true, takeover: null });
+
+    const response = await requestJson(service.port, '/agent/takeover', {
+      method: 'POST',
+      body: {
+        requestId: 'takeover-1',
+        source: 'cursor-always-local',
+        model: 'gpt-test',
+        messages: [{ role: 'user', content: 'secret prompt' }],
+      },
+    });
+
+    assert.equal(response.status, 200);
+    assert.equal(response.body.state, 'rejected');
+    assert.equal(response.body.reason, 'logged-out');
+    assert.equal(JSON.stringify(response.body).includes('secret prompt'), false);
+
+    const latest = await requestJson(service.port, '/agent/takeover/latest');
+    assert.equal(latest.status, 200);
+    assert.deepEqual(latest.body, { ok: true, takeover: response.body });
+  } finally {
+    await service.stop();
+    await rm(tempDir, { recursive: true, force: true });
+  }
+});
+
+test('local service takeover returns fake provider answer when platform mode is active', async () => {
+  const tempDir = await mkdtemp(join(tmpdir(), 'cursor-pool-service-takeover-active-'));
+  const platformSessionFile = join(tempDir, 'platform-session.json');
+  const service = await startServer({
+    runtimeFile: join(tempDir, 'runtime.json'),
+    platformSessionFile,
+  });
+  await writeFile(
+    platformSessionFile,
+    `${JSON.stringify({
+      apiBaseUrl: 'http://127.0.0.1:9',
+      deviceToken: 'cp_dev_secret',
+      createdAt: '2026-06-01T00:00:00.000Z',
+      user: { id: 'usr_1', email: 'dev@example.com' },
+      device: { id: 'dev_1', status: 'active', lastHeartbeatAt: '2026-06-01T00:00:00.000Z' },
+      selectedProductId: 'prod_basic',
+      platformMode: 'active',
+      activeProductId: 'prod_basic',
+      platformModeStartedAt: '2026-06-01T00:05:00.000Z',
+      routeToken: {
+        token: 'rt_secret_value',
+        expiresAt: '2999-06-01T00:10:00.000Z',
+      },
+    }, null, 2)}\n`,
+    'utf8',
+  );
+
+  try {
+    const response = await requestJson(service.port, '/agent/takeover', {
+      method: 'POST',
+      body: {
+        requestId: 'takeover-active-1',
+        source: 'cursor-always-local',
+        model: 'gpt-test',
+        messages: [{ role: 'user', content: 'secret prompt' }],
+      },
+    });
+
+    assert.equal(response.status, 200);
+    assert.deepEqual(response.body, {
+      state: 'answered',
+      requestId: 'takeover-active-1',
+      source: 'cursor-always-local',
+      model: 'gpt-test',
+      content: 'Cursor Pool provider 暂时没有返回可显示内容',
+    });
+    assert.equal(JSON.stringify(response.body).includes('secret prompt'), false);
+    assert.equal(JSON.stringify(response.body).includes('rt_secret_value'), false);
+
+    const latest = await requestJson(service.port, '/agent/takeover/latest');
+    assert.equal(latest.status, 200);
+    assert.deepEqual(latest.body, { ok: true, takeover: response.body });
+  } finally {
+    await service.stop();
+    await rm(tempDir, { recursive: true, force: true });
+  }
+});
+
+test('local service takeover returns provider answer content from gateway forwarder', async () => {
+  const tempDir = await mkdtemp(join(tmpdir(), 'cursor-pool-service-takeover-provider-'));
+  const platformSessionFile = join(tempDir, 'platform-session.json');
+  const service = await startServer({
+    runtimeFile: join(tempDir, 'runtime.json'),
+    platformSessionFile,
+    gatewayForwarder: async (request) => {
+      assert.equal(request.routeToken, 'rt_secret_value');
+      assert.equal(request.poolSessionId, 'pool_session_1');
+      assert.equal(request.productId, 'prod_basic');
+      assert.equal(request.requestId, 'takeover-provider-1');
+      assert.equal(JSON.stringify(request.gateway).includes('rt_secret_value'), false);
+      return {
+        state: 'forwarded',
+        upstreamRequestId: 'gw_req_provider_1',
+        acceptedAt: '2026-06-01T00:30:00.000Z',
+        routeExpiresAt: '2999-06-01T00:10:00.000Z',
+        content: '来自临时单账号 provider 的回答',
+      };
+    },
+  });
+  await writeFile(
+    platformSessionFile,
+    `${JSON.stringify({
+      apiBaseUrl: 'http://127.0.0.1:9',
+      deviceToken: 'cp_dev_secret',
+      createdAt: '2026-06-01T00:00:00.000Z',
+      user: { id: 'usr_1', email: 'dev@example.com' },
+      device: { id: 'dev_1', status: 'active', lastHeartbeatAt: '2026-06-01T00:00:00.000Z' },
+      selectedProductId: 'prod_basic',
+      platformMode: 'active',
+      activeProductId: 'prod_basic',
+      platformModeStartedAt: '2026-06-01T00:05:00.000Z',
+      poolSession: {
+        id: 'pool_session_1',
+        productId: 'prod_basic',
+        providerType: 'development-single-provider',
+        status: 'active',
+        startedAt: '2026-06-01T00:05:00.000Z',
+        expiresAt: '2999-06-01T01:05:00.000Z',
+        routeTokenExpiresAt: '2999-06-01T00:10:00.000Z',
+        routeStrategy: 'platform-gateway',
+        bannedModels: [],
+        availableModels: ['gpt-test'],
+        capabilities: {
+          streaming: false,
+          usageEstimate: true,
+          hardSpendLimit: true,
+        },
+      },
+      routeToken: {
+        token: 'rt_secret_value',
+        expiresAt: '2999-06-01T00:10:00.000Z',
+      },
+    }, null, 2)}\n`,
+    'utf8',
+  );
+
+  try {
+    const response = await requestJson(service.port, '/agent/takeover', {
+      method: 'POST',
+      body: {
+        requestId: 'takeover-provider-1',
+        source: 'cursor-agent-exec',
+        model: 'gpt-test',
+      },
+    });
+
+    assert.equal(response.status, 200);
+    assert.deepEqual(response.body, {
+      state: 'answered',
+      requestId: 'takeover-provider-1',
+      source: 'cursor-agent-exec',
+      model: 'gpt-test',
+      content: '来自临时单账号 provider 的回答',
+    });
+    assert.equal(JSON.stringify(response.body).includes('rt_secret_value'), false);
+  } finally {
+    await service.stop();
+    await rm(tempDir, { recursive: true, force: true });
+  }
+});
+
+test('local service allows Cursor workbench renderer preflight and takeover POST', async () => {
+  const tempDir = await mkdtemp(join(tmpdir(), 'cursor-pool-service-takeover-cors-'));
+  const platformSessionFile = join(tempDir, 'platform-session.json');
+  const service = await startServer({
+    runtimeFile: join(tempDir, 'runtime.json'),
+    platformSessionFile,
+  });
+  await writeFile(
+    platformSessionFile,
+    `${JSON.stringify({
+      apiBaseUrl: 'http://127.0.0.1:9',
+      deviceToken: 'cp_dev_secret',
+      createdAt: '2026-06-01T00:00:00.000Z',
+      user: { id: 'usr_1', email: 'dev@example.com' },
+      device: { id: 'dev_1', status: 'active', lastHeartbeatAt: '2026-06-01T00:00:00.000Z' },
+      platformMode: 'active',
+      activeProductId: 'prod_basic',
+      platformModeStartedAt: '2026-06-01T00:05:00.000Z',
+      routeToken: {
+        token: 'rt_secret_value',
+        expiresAt: '2999-06-01T00:10:00.000Z',
+      },
+    }, null, 2)}\n`,
+    'utf8',
+  );
+
+  try {
+    const blockedPreflight = await requestRaw(service.port, '/agent/takeover', {
+      method: 'OPTIONS',
+      headers: {
+        origin: 'https://evil.example',
+        'access-control-request-method': 'POST',
+        'access-control-request-headers': 'content-type',
+      },
+    });
+
+    assert.equal(blockedPreflight.status, 403);
+    assert.equal(blockedPreflight.headers.get('access-control-allow-origin'), null);
+
+    const preflight = await requestRaw(service.port, '/agent/takeover', {
+      method: 'OPTIONS',
+      headers: {
+        origin: 'vscode-file://vscode-app',
+        'access-control-request-method': 'POST',
+        'access-control-request-headers': 'content-type',
+      },
+    });
+
+    assert.equal(preflight.status, 204);
+    assert.equal(preflight.headers.get('access-control-allow-origin'), 'vscode-file://vscode-app');
+    assert.match(preflight.headers.get('access-control-allow-methods') ?? '', /POST/);
+    assert.match(preflight.headers.get('access-control-allow-headers') ?? '', /content-type/i);
+
+    const response = await requestJson(service.port, '/agent/takeover', {
+      method: 'POST',
+      headers: { origin: 'vscode-file://vscode-app' },
+      body: {
+        requestId: 'takeover-cors-1',
+        source: 'cursor-agent-exec',
+        model: 'default',
+      },
+    });
+
+    assert.equal(response.status, 200);
+    assert.equal(response.body.state, 'answered');
+    assert.equal(response.body.requestId, 'takeover-cors-1');
+    assert.equal(response.body.content, 'Cursor Pool provider 暂时没有返回可显示内容');
+  } finally {
+    await service.stop();
+    await rm(tempDir, { recursive: true, force: true });
+  }
+});
+
+test('local service stores and returns the latest sanitized agent canary', async () => {
+  const tempDir = await mkdtemp(join(tmpdir(), 'cursor-pool-service-canary-'));
+  const platformSessionFile = join(tempDir, 'platform-session.json');
+  const service = await startServer({
+    runtimeFile: join(tempDir, 'runtime.json'),
+    platformSessionFile,
+  });
+  await writeFile(
+    platformSessionFile,
+    `${JSON.stringify({
+      apiBaseUrl: 'http://127.0.0.1:9',
+      deviceToken: 'cp_dev_secret',
+      createdAt: '2026-05-31T00:00:00.000Z',
+      user: { id: 'usr_1', email: 'dev@example.com' },
+      device: { id: 'dev_1', status: 'active', lastHeartbeatAt: '2026-05-31T00:00:00.000Z' },
+      platformMode: 'active',
+      activeProductId: 'prod_basic',
+      platformModeStartedAt: '2026-05-31T00:05:00.000Z',
+      routeToken: {
+        token: 'rt_secret_value',
+        expiresAt: '2999-05-31T00:10:00.000Z',
+      },
+    }, null, 2)}\n`,
+    'utf8',
+  );
+
+  try {
+    const initial = await requestJson(service.port, '/agent/canary/latest');
+    assert.equal(initial.status, 200);
+    assert.deepEqual(initial.body, { ok: true, canary: null });
+
+    const posted = await requestJson(service.port, '/agent/canary', {
+      method: 'POST',
+      body: {
+        requestId: 'req-1',
+        requestType: 'agent',
+        source: 'cursor-agent-exec',
+        model: 'gpt-test',
+        prompt: 'discard this',
+        token: 'discard this too',
+      },
+    });
+
+    assert.equal(posted.status, 200);
+    assert.equal(posted.body.ok, true);
+    assert.equal(posted.body.canary.requestId, 'req-1');
+    assert.equal(posted.body.canary.requestType, 'agent');
+    assert.equal(posted.body.canary.source, 'cursor-agent-exec');
+    assert.equal(posted.body.canary.model, 'gpt-test');
+    assert.equal(posted.body.canary.runtimeId, service.runtimeId);
+    assert.match(posted.body.canary.receivedAt, /^\d{4}-\d{2}-\d{2}T/);
+    assert.deepEqual(posted.body.canary.gate, {
+      state: 'allowed',
+      productId: 'prod_basic',
+      modeStartedAt: '2026-05-31T00:05:00.000Z',
+    });
+    assert.equal(Object.hasOwn(posted.body.canary, 'prompt'), false);
+    assert.equal(Object.hasOwn(posted.body.canary, 'token'), false);
+
+    const latest = await requestJson(service.port, '/agent/canary/latest');
+    assert.equal(latest.status, 200);
+    assert.deepEqual(latest.body, posted.body);
+  } finally {
+    await service.stop();
+    await rm(tempDir, { recursive: true, force: true });
+  }
+});
+
+test('local service reports blocked gate for logged-out agent canary', async () => {
+  const tempDir = await mkdtemp(join(tmpdir(), 'cursor-pool-service-canary-'));
+  const service = await startServer({
+    runtimeFile: join(tempDir, 'runtime.json'),
+    platformSessionFile: join(tempDir, 'missing-platform-session.json'),
+  });
+
+  try {
+    const posted = await requestJson(service.port, '/agent/canary', {
+      method: 'POST',
+      body: {
+        requestId: 'req-logged-out',
+        model: 'gpt-test',
+      },
+    });
+
+    assert.equal(posted.status, 200);
+    assert.equal(posted.body.ok, true);
+    assert.deepEqual(posted.body.canary.gate, { state: 'blocked', reason: 'logged-out' });
+
+    const latest = await requestJson(service.port, '/agent/canary/latest');
+    assert.equal(latest.status, 200);
+    assert.deepEqual(latest.body.canary.gate, { state: 'blocked', reason: 'logged-out' });
+  } finally {
+    await service.stop();
+    await rm(tempDir, { recursive: true, force: true });
+  }
+});
+
+test('local service appends sanitized agent canary diagnostics', async () => {
+  const tempDir = await mkdtemp(join(tmpdir(), 'cursor-pool-service-canary-'));
+  const diagnosticsFile = join(tempDir, 'diagnostics.jsonl');
+  const service = await startServer({
+    runtimeFile: join(tempDir, 'runtime.json'),
+    platformSessionFile: join(tempDir, 'missing-platform-session.json'),
+    diagnosticsFile,
+  });
+
+  try {
+    const posted = await requestJson(service.port, '/agent/canary', {
+      method: 'POST',
+      body: {
+        requestId: 'req-1',
+        model: 'gpt-test',
+        prompt: 'discard this',
+        apiKey: 'discard this too',
+      },
+    });
+
+    assert.equal(posted.status, 200);
+
+    const content = await readFile(diagnosticsFile, 'utf8');
+    const saved = JSON.parse(content.trim()) as Record<string, unknown>;
+    assert.equal(saved.requestId, 'req-1');
+    assert.equal(saved.requestType, 'agent');
+    assert.equal(saved.source, 'cursor-agent-exec');
+    assert.equal(saved.model, 'gpt-test');
+    assert.equal(saved.runtimeId, service.runtimeId);
+    assert.deepEqual(saved.gate, { state: 'blocked', reason: 'logged-out' });
+    assert.equal(Object.hasOwn(saved, 'prompt'), false);
+    assert.equal(Object.hasOwn(saved, 'apiKey'), false);
+  } finally {
+    await service.stop();
+    await rm(tempDir, { recursive: true, force: true });
+  }
+});
+
+test('local service keeps canary endpoint available when diagnostics write fails', async () => {
+  const tempDir = await mkdtemp(join(tmpdir(), 'cursor-pool-service-canary-'));
+  const service = await startServer({
+    runtimeFile: join(tempDir, 'runtime.json'),
+    platformSessionFile: join(tempDir, 'missing-platform-session.json'),
+    diagnosticsFile: tempDir,
+  });
+
+  try {
+    const posted = await requestJson(service.port, '/agent/canary', {
+      method: 'POST',
+      body: { requestId: 'req-1' },
+    });
+
+    assert.equal(posted.status, 200);
+    assert.equal(posted.body.ok, true);
+    assert.equal(posted.body.canary.requestId, 'req-1');
+
+    const latest = await requestJson(service.port, '/agent/canary/latest');
+    assert.equal(latest.status, 200);
+    assert.deepEqual(latest.body, posted.body);
+  } finally {
+    await service.stop();
+    await rm(tempDir, { recursive: true, force: true });
+  }
+});
+
+test('local service request-check returns allowed decision and safe diagnostics', async () => {
+  const tempDir = await mkdtemp(join(tmpdir(), 'cursor-pool-service-request-check-'));
+  const platformSessionFile = join(tempDir, 'platform-session.json');
+  const diagnosticsFile = join(tempDir, 'diagnostics.jsonl');
+  const service = await startServer({
+    runtimeFile: join(tempDir, 'runtime.json'),
+    platformSessionFile,
+    diagnosticsFile,
+  });
+  await writeFile(
+    platformSessionFile,
+    `${JSON.stringify({
+      apiBaseUrl: 'http://127.0.0.1:9',
+      deviceToken: 'cp_dev_secret',
+      createdAt: '2026-05-31T00:00:00.000Z',
+      user: { id: 'usr_1', email: 'dev@example.com' },
+      device: { id: 'dev_1', status: 'active', lastHeartbeatAt: '2026-05-31T00:00:00.000Z' },
+      platformMode: 'active',
+      activeProductId: 'prod_basic',
+      platformModeStartedAt: '2026-05-31T00:05:00.000Z',
+      routeToken: {
+        token: 'rt_secret_value',
+        expiresAt: '2999-05-31T00:10:00.000Z',
+      },
+    }, null, 2)}\n`,
+    'utf8',
+  );
+
+  try {
+    const posted = await requestJson(service.port, '/agent/request-check', {
+      method: 'POST',
+      body: {
+        requestId: 'req-check-1',
+        source: 'manual-check',
+        model: 'gpt-test',
+        prompt: 'discard this',
+        apiKey: 'discard this too',
+      },
+    });
+
+    assert.equal(posted.status, 200);
+    assert.equal(posted.body.ok, true);
+    assert.equal(posted.body.check.requestId, 'req-check-1');
+    assert.equal(posted.body.check.requestType, 'agent');
+    assert.equal(posted.body.check.source, 'manual-check');
+    assert.equal(posted.body.check.model, 'gpt-test');
+    assert.equal(posted.body.check.runtimeId, service.runtimeId);
+    assert.match(posted.body.check.receivedAt, /^\d{4}-\d{2}-\d{2}T/);
+    assert.deepEqual(posted.body.check.decision, {
+      state: 'allowed',
+      productId: 'prod_basic',
+      modeStartedAt: '2026-05-31T00:05:00.000Z',
+    });
+    assert.deepEqual(posted.body.check.route, {
+      state: 'ready',
+      expiresAt: '2999-05-31T00:10:00.000Z',
+    });
+    assert.equal(Object.hasOwn(posted.body.check, 'prompt'), false);
+    assert.equal(Object.hasOwn(posted.body.check, 'apiKey'), false);
+    assert.doesNotMatch(JSON.stringify(posted.body), /rt_secret_value|routeToken/);
+
+    const content = await readFile(diagnosticsFile, 'utf8');
+    const saved = JSON.parse(content.trim()) as Record<string, unknown>;
+    assert.equal(saved.kind, 'agent-request-check');
+    assert.equal(saved.requestId, 'req-check-1');
+    assert.deepEqual(saved.decision, posted.body.check.decision);
+    assert.deepEqual(saved.route, posted.body.check.route);
+    assert.equal(Object.hasOwn(saved, 'prompt'), false);
+    assert.equal(Object.hasOwn(saved, 'apiKey'), false);
+    assert.doesNotMatch(JSON.stringify(saved), /rt_secret_value|routeToken/);
+  } finally {
+    await service.stop();
+    await rm(tempDir, { recursive: true, force: true });
+  }
+});
+
+test('local service returns latest request-check state', async () => {
+  const tempDir = await mkdtemp(join(tmpdir(), 'cursor-pool-service-request-check-'));
+  const platformSessionFile = join(tempDir, 'platform-session.json');
+  const service = await startServer({
+    runtimeFile: join(tempDir, 'runtime.json'),
+    platformSessionFile,
+  });
+  await writeFile(
+    platformSessionFile,
+    `${JSON.stringify({
+      apiBaseUrl: 'http://127.0.0.1:9',
+      deviceToken: 'cp_dev_secret',
+      createdAt: '2026-05-31T00:00:00.000Z',
+      user: { id: 'usr_1', email: 'dev@example.com' },
+      device: { id: 'dev_1', status: 'active', lastHeartbeatAt: '2026-05-31T00:00:00.000Z' },
+      platformMode: 'active',
+      activeProductId: 'prod_basic',
+      platformModeStartedAt: '2026-05-31T00:05:00.000Z',
+    }, null, 2)}\n`,
+    'utf8',
+  );
+
+  try {
+    const initial = await requestJson(service.port, '/agent/request-check/latest');
+    assert.equal(initial.status, 200);
+    assert.deepEqual(initial.body, { ok: true, check: null });
+
+    const posted = await requestJson(service.port, '/agent/request-check', {
+      method: 'POST',
+      body: {
+        requestId: 'req-check-latest',
+        source: 'cursor-agent-exec',
+        model: 'gpt-test',
+        prompt: 'discard this',
+        apiKey: 'discard this too',
+      },
+    });
+
+    assert.equal(posted.status, 200);
+    assert.equal(posted.body.ok, true);
+
+    const latest = await requestJson(service.port, '/agent/request-check/latest');
+    assert.equal(latest.status, 200);
+    assert.deepEqual(latest.body, { ok: true, check: posted.body.check });
+    assert.equal(Object.hasOwn(latest.body.check, 'prompt'), false);
+    assert.equal(Object.hasOwn(latest.body.check, 'apiKey'), false);
+  } finally {
+    await service.stop();
+    await rm(tempDir, { recursive: true, force: true });
+  }
+});
+
+test('local service request-check returns blocked decision for logged-out session', async () => {
+  const tempDir = await mkdtemp(join(tmpdir(), 'cursor-pool-service-request-check-'));
+  const service = await startServer({
+    runtimeFile: join(tempDir, 'runtime.json'),
+    platformSessionFile: join(tempDir, 'missing-platform-session.json'),
+  });
+
+  try {
+    const posted = await requestJson(service.port, '/agent/request-check', {
+      method: 'POST',
+      body: {
+        requestId: 'req-logged-out',
+        model: 'sk-live-secret-token',
+      },
+    });
+
+    assert.equal(posted.status, 200);
+    assert.equal(posted.body.ok, false);
+    assert.equal(posted.body.check.requestId, 'req-logged-out');
+    assert.equal(posted.body.check.model, 'unknown');
+    assert.deepEqual(posted.body.check.decision, { state: 'blocked', reason: 'logged-out' });
+    assert.deepEqual(posted.body.check.route, { state: 'missing' });
+  } finally {
+    await service.stop();
+    await rm(tempDir, { recursive: true, force: true });
+  }
+});
+
+test('local service request-check rejects invalid JSON', async () => {
+  const tempDir = await mkdtemp(join(tmpdir(), 'cursor-pool-service-request-check-'));
+  const service = await startServer({ runtimeFile: join(tempDir, 'runtime.json') });
+
+  try {
+    const response = await fetch(`http://127.0.0.1:${service.port}/agent/request-check`, {
+      method: 'POST',
+      headers: { 'content-type': 'application/json' },
+      body: '{not-json',
+    });
+    const body = await response.json();
+
+    assert.equal(response.status, 400);
+    assert.deepEqual(body, { ok: false, error: 'invalid request' });
+  } finally {
+    await service.stop();
+    await rm(tempDir, { recursive: true, force: true });
+  }
+});
+
+test('local service keeps request-check available when diagnostics write fails', async () => {
+  const tempDir = await mkdtemp(join(tmpdir(), 'cursor-pool-service-request-check-'));
+  const service = await startServer({
+    runtimeFile: join(tempDir, 'runtime.json'),
+    platformSessionFile: join(tempDir, 'missing-platform-session.json'),
+    diagnosticsFile: tempDir,
+  });
+
+  try {
+    const posted = await requestJson(service.port, '/agent/request-check', {
+      method: 'POST',
+      body: { requestId: 'req-check-1' },
+    });
+
+    assert.equal(posted.status, 200);
+    assert.equal(posted.body.ok, false);
+    assert.equal(posted.body.check.requestId, 'req-check-1');
+    assert.deepEqual(posted.body.check.decision, { state: 'blocked', reason: 'logged-out' });
+  } finally {
+    await service.stop();
+    await rm(tempDir, { recursive: true, force: true });
+  }
+});
+
+test('local service request-gateway returns accepted decision and safe diagnostics', async () => {
+  const tempDir = await mkdtemp(join(tmpdir(), 'cursor-pool-service-gateway-'));
+  const platformSessionFile = join(tempDir, 'platform-session.json');
+  const diagnosticsFile = join(tempDir, 'diagnostics.jsonl');
+  const service = await startServer({
+    runtimeFile: join(tempDir, 'runtime.json'),
+    platformSessionFile,
+    diagnosticsFile,
+  });
+  await writeFile(
+    platformSessionFile,
+    `${JSON.stringify({
+      apiBaseUrl: 'http://127.0.0.1:9',
+      deviceToken: 'cp_dev_secret',
+      createdAt: '2026-05-31T00:00:00.000Z',
+      user: { id: 'usr_1', email: 'dev@example.com' },
+      device: { id: 'dev_1', status: 'active', lastHeartbeatAt: '2026-05-31T00:00:00.000Z' },
+      platformMode: 'active',
+      activeProductId: 'prod_basic',
+      platformModeStartedAt: '2026-05-31T00:05:00.000Z',
+      routeToken: {
+        token: 'rt_secret_value',
+        expiresAt: '2999-05-31T00:10:00.000Z',
+      },
+    }, null, 2)}\n`,
+    'utf8',
+  );
+
+  try {
+    const posted = await requestJson(service.port, '/agent/request-gateway', {
+      method: 'POST',
+      body: {
+        requestId: 'req-gateway-1',
+        source: 'cursor-agent-exec',
+        model: 'gpt-test',
+        prompt: 'discard this',
+        apiKey: 'discard this too',
+        routeToken: 'rt_secret_value',
+      },
+    });
+
+    assert.equal(posted.status, 200);
+    assert.equal(posted.body.ok, false);
+    assert.equal(posted.body.gateway.requestId, 'req-gateway-1');
+    assert.equal(posted.body.gateway.requestType, 'agent');
+    assert.equal(posted.body.gateway.source, 'cursor-agent-exec');
+    assert.equal(posted.body.gateway.model, 'gpt-test');
+    assert.equal(posted.body.gateway.runtimeId, service.runtimeId);
+    assert.deepEqual(posted.body.gateway.decision, {
+      state: 'accepted',
+      productId: 'prod_basic',
+      modeStartedAt: '2026-05-31T00:05:00.000Z',
+      route: { state: 'ready', expiresAt: '2999-05-31T00:10:00.000Z' },
+    });
+    assert.deepEqual(posted.body.gateway.forward, { state: 'network-error' });
+    assert.doesNotMatch(JSON.stringify(posted.body), /prompt|apiKey|rt_secret_value|routeToken/);
+
+    const saved = JSON.parse((await readFile(diagnosticsFile, 'utf8')).trim()) as Record<string, unknown>;
+    assert.equal(saved.kind, 'agent-request-gateway');
+    assert.deepEqual(saved.decision, posted.body.gateway.decision);
+    assert.deepEqual(saved.forward, { state: 'network-error' });
+    assert.doesNotMatch(JSON.stringify(saved), /prompt|apiKey|rt_secret_value|routeToken/);
+  } finally {
+    await service.stop();
+    await rm(tempDir, { recursive: true, force: true });
+  }
+});
+
+test('local service request-gateway forwards to platform API by default', async () => {
+  const tempDir = await mkdtemp(join(tmpdir(), 'cursor-pool-service-gateway-'));
+  const platformSessionFile = join(tempDir, 'platform-session.json');
+  const forwarded: Record<string, unknown>[] = [];
+  const platformApi = await createPlatformApiServer(async (request, response) => {
+    if (request.method !== 'POST' || request.url !== '/api/client/gateway/agent') {
+      writeJson(response, 404, { ok: false });
+      return;
+    }
+
+    assert.equal(request.headers.authorization, 'Bearer cp_dev_secret');
+    const chunks: Buffer[] = [];
+    for await (const chunk of request) {
+      chunks.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk));
+    }
+    const body = JSON.parse(Buffer.concat(chunks).toString('utf8')) as Record<string, unknown>;
+    forwarded.push(body);
+    assert.equal(body.routeToken, 'rt_secret_value');
+    assert.equal(body.poolSessionId, 'pool_session_1');
+    assert.equal(body.productId, 'prod_basic');
+    assert.equal(body.model, 'gpt-test');
+    assert.equal(body.requestId, 'req-gateway-default');
+    assert.equal(Object.hasOwn(body, 'prompt'), false);
+    assert.equal(Object.hasOwn(body, 'messages'), false);
+    assert.equal(Object.hasOwn(body, 'apiKey'), false);
+    assert.equal((body.gateway as Record<string, unknown>).requestId, 'req-gateway-default');
+    assert.equal(JSON.stringify(body.gateway).includes('rt_secret_value'), false);
+    assert.equal(JSON.stringify(body.gateway).includes('discard this'), false);
+
+    writeJson(response, 200, {
+      state: 'forwarded',
+      upstreamRequestId: 'gw_req_default',
+      acceptedAt: '2026-05-31T00:30:00.000Z',
+      routeExpiresAt: '2999-05-31T00:10:00.000Z',
+    });
+  });
+  const service = await startServer({
+    runtimeFile: join(tempDir, 'runtime.json'),
+    platformSessionFile,
+  });
+  await writeFile(
+    platformSessionFile,
+    `${JSON.stringify({
+      apiBaseUrl: platformApi.apiBaseUrl,
+      deviceToken: 'cp_dev_secret',
+      createdAt: '2026-05-31T00:00:00.000Z',
+      user: { id: 'usr_1', email: 'dev@example.com' },
+      device: { id: 'dev_1', status: 'active', lastHeartbeatAt: '2026-05-31T00:00:00.000Z' },
+      platformMode: 'active',
+      activeProductId: 'prod_basic',
+      platformModeStartedAt: '2026-05-31T00:05:00.000Z',
+      poolSession: {
+        id: 'pool_session_1',
+        productId: 'prod_basic',
+        providerType: 'development',
+        status: 'active',
+        startedAt: '2026-05-31T00:05:00.000Z',
+        expiresAt: '2999-05-31T00:20:00.000Z',
+        routeTokenExpiresAt: '2999-05-31T00:10:00.000Z',
+        routeStrategy: 'platform-gateway',
+        bannedModels: [],
+        capabilities: { streaming: false, usageEstimate: false, hardSpendLimit: false },
+      },
+      routeToken: {
+        token: 'rt_secret_value',
+        expiresAt: '2999-05-31T00:10:00.000Z',
+      },
+    }, null, 2)}\n`,
+    'utf8',
+  );
+
+  try {
+    const posted = await requestJson(service.port, '/agent/request-gateway', {
+      method: 'POST',
+      body: {
+        requestId: 'req-gateway-default',
+        source: 'cursor-agent-exec',
+        model: 'gpt-test',
+        prompt: 'discard this',
+        messages: [{ role: 'user', content: 'discard this too' }],
+        apiKey: 'discard this too',
+      },
+    });
+
+    assert.equal(posted.status, 200);
+    assert.equal(posted.body.ok, true);
+    assert.deepEqual(posted.body.gateway.forward, {
+      state: 'forwarded',
+      upstreamRequestId: 'gw_req_default',
+      acceptedAt: '2026-05-31T00:30:00.000Z',
+    });
+    assert.equal(forwarded.length, 1);
+    assert.doesNotMatch(JSON.stringify(posted.body), /rt_secret_value|discard this|routeToken/);
+  } finally {
+    await service.stop();
+    await platformApi.close();
+    await rm(tempDir, { recursive: true, force: true });
+  }
+});
+
+test('local service request-gateway accepts patch-like payload without leaking route token', async () => {
+  const tempDir = await mkdtemp(join(tmpdir(), 'cursor-pool-service-gateway-'));
+  const platformSessionFile = join(tempDir, 'platform-session.json');
+  const diagnosticsFile = join(tempDir, 'diagnostics.jsonl');
+  const forwarded: Record<string, unknown>[] = [];
+  const platformApi = await createPlatformApiServer(async (request, response) => {
+    if (request.method !== 'POST' || request.url !== '/api/client/gateway/agent') {
+      writeJson(response, 404, { ok: false });
+      return;
+    }
+
+    assert.equal(request.headers.authorization, 'Bearer cp_dev_secret');
+    const chunks: Buffer[] = [];
+    for await (const chunk of request) {
+      chunks.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk));
+    }
+    const body = JSON.parse(Buffer.concat(chunks).toString('utf8')) as Record<string, unknown>;
+    forwarded.push(body);
+    assert.equal(body.routeToken, 'rt_secret_value');
+    assert.equal(body.poolSessionId, 'pool_session_1');
+    assert.equal(body.productId, 'prod_basic');
+    assert.equal(body.requestId, 'req-patch-like');
+    assert.equal(Object.hasOwn(body, 'prompt'), false);
+    assert.equal(Object.hasOwn(body, 'messages'), false);
+    assert.equal(Object.hasOwn(body, 'apiKey'), false);
+
+    const gateway = body.gateway as Record<string, unknown>;
+    assert.equal(gateway.requestId, 'req-patch-like');
+    assert.equal(gateway.requestType, 'agent');
+    assert.equal(gateway.source, 'cursor-agent-exec');
+    assert.equal(JSON.stringify(gateway).includes('rt_secret_value'), false);
+    assert.equal(JSON.stringify(gateway).includes('routeToken'), false);
+    assert.equal(JSON.stringify(gateway).includes('prompt'), false);
+    assert.equal(JSON.stringify(gateway).includes('messages'), false);
+
+    writeJson(response, 200, {
+      state: 'forwarded',
+      upstreamRequestId: 'gw_req_patch_like',
+      acceptedAt: '2026-05-31T00:30:00.000Z',
+      routeExpiresAt: '2999-05-31T00:10:00.000Z',
+    });
+  });
+  const service = await startServer({
+    runtimeFile: join(tempDir, 'runtime.json'),
+    platformSessionFile,
+    diagnosticsFile,
+  });
+  await writeFile(
+    platformSessionFile,
+    `${JSON.stringify({
+      apiBaseUrl: platformApi.apiBaseUrl,
+      deviceToken: 'cp_dev_secret',
+      createdAt: '2026-05-31T00:00:00.000Z',
+      user: { id: 'usr_1', email: 'dev@example.com' },
+      device: { id: 'dev_1', status: 'active', lastHeartbeatAt: '2026-05-31T00:00:00.000Z' },
+      platformMode: 'active',
+      activeProductId: 'prod_basic',
+      platformModeStartedAt: '2026-05-31T00:05:00.000Z',
+      poolSession: {
+        id: 'pool_session_1',
+        productId: 'prod_basic',
+        providerType: 'development',
+        status: 'active',
+        startedAt: '2026-05-31T00:05:00.000Z',
+        expiresAt: '2999-05-31T00:20:00.000Z',
+        routeTokenExpiresAt: '2999-05-31T00:10:00.000Z',
+        routeStrategy: 'platform-gateway',
+        bannedModels: [],
+        capabilities: { streaming: false, usageEstimate: false, hardSpendLimit: false },
+      },
+      routeToken: {
+        token: 'rt_secret_value',
+        expiresAt: '2999-05-31T00:10:00.000Z',
+      },
+    }, null, 2)}\n`,
+    'utf8',
+  );
+
+  try {
+    const posted = await requestJson(service.port, '/agent/request-gateway', {
+      method: 'POST',
+      body: {
+        requestId: 'req-patch-like',
+        requestType: 'agent',
+        source: 'cursor-agent-exec',
+      },
+    });
+
+    assert.equal(posted.status, 200);
+    assert.equal(posted.body.ok, true);
+    assert.equal(posted.body.gateway.requestId, 'req-patch-like');
+    assert.equal(posted.body.gateway.requestType, 'agent');
+    assert.equal(posted.body.gateway.source, 'cursor-agent-exec');
+    assert.equal(posted.body.gateway.runtimeId, service.runtimeId);
+    assert.deepEqual(posted.body.gateway.decision, {
+      state: 'accepted',
+      productId: 'prod_basic',
+      modeStartedAt: '2026-05-31T00:05:00.000Z',
+      route: { state: 'ready', expiresAt: '2999-05-31T00:10:00.000Z' },
+    });
+    assert.deepEqual(posted.body.gateway.forward, {
+      state: 'forwarded',
+      upstreamRequestId: 'gw_req_patch_like',
+      acceptedAt: '2026-05-31T00:30:00.000Z',
+    });
+    assert.equal(forwarded.length, 1);
+    assert.doesNotMatch(JSON.stringify(posted.body), /rt_secret_value|routeToken|prompt|messages/);
+
+    const saved = JSON.parse((await readFile(diagnosticsFile, 'utf8')).trim()) as Record<string, unknown>;
+    assert.equal(saved.kind, 'agent-request-gateway');
+    assert.deepEqual(saved.decision, posted.body.gateway.decision);
+    assert.deepEqual(saved.forward, posted.body.gateway.forward);
+    assert.doesNotMatch(JSON.stringify(saved), /rt_secret_value|routeToken|prompt|messages/);
+  } finally {
+    await service.stop();
+    await platformApi.close();
+    await rm(tempDir, { recursive: true, force: true });
+  }
+});
+
+test('local service request-gateway returns forwarded when injected forwarder accepts', async () => {
+  const tempDir = await mkdtemp(join(tmpdir(), 'cursor-pool-service-gateway-'));
+  const platformSessionFile = join(tempDir, 'platform-session.json');
+  const diagnosticsFile = join(tempDir, 'diagnostics.jsonl');
+  const service = await startServer({
+    runtimeFile: join(tempDir, 'runtime.json'),
+    platformSessionFile,
+    diagnosticsFile,
+    gatewayForwarder: async (request) => {
+      assert.equal(request.routeToken, 'rt_secret_value');
+      assert.equal(request.poolSessionId, 'pool_session_1');
+      assert.equal(request.productId, 'prod_basic');
+      assert.equal(request.gateway.requestId, 'req-gateway-1');
+      assert.equal(JSON.stringify(request.gateway).includes('rt_secret_value'), false);
+      return {
+        state: 'forwarded',
+        upstreamRequestId: 'gw_req_1',
+        acceptedAt: '2026-05-31T00:30:00.000Z',
+        routeExpiresAt: '2999-05-31T00:10:00.000Z',
+      };
+    },
+  });
+  await writeFile(
+    platformSessionFile,
+    `${JSON.stringify({
+      apiBaseUrl: 'http://127.0.0.1:9',
+      deviceToken: 'cp_dev_secret',
+      createdAt: '2026-05-31T00:00:00.000Z',
+      user: { id: 'usr_1', email: 'dev@example.com' },
+      device: { id: 'dev_1', status: 'active', lastHeartbeatAt: '2026-05-31T00:00:00.000Z' },
+      platformMode: 'active',
+      activeProductId: 'prod_basic',
+      platformModeStartedAt: '2026-05-31T00:05:00.000Z',
+      poolSession: {
+        id: 'pool_session_1',
+        productId: 'prod_basic',
+        providerType: 'mock',
+        status: 'active',
+        startedAt: '2026-05-31T00:05:00.000Z',
+        expiresAt: '2999-05-31T00:20:00.000Z',
+        routeTokenExpiresAt: '2999-05-31T00:10:00.000Z',
+        routeStrategy: 'platform-gateway',
+        bannedModels: [],
+        capabilities: { streaming: false, usageEstimate: false, hardSpendLimit: false },
+      },
+      routeToken: {
+        token: 'rt_secret_value',
+        expiresAt: '2999-05-31T00:10:00.000Z',
+      },
+    }, null, 2)}\n`,
+    'utf8',
+  );
+
+  try {
+    const posted = await requestJson(service.port, '/agent/request-gateway', {
+      method: 'POST',
+      body: {
+        requestId: 'req-gateway-1',
+        source: 'cursor-agent-exec',
+        model: 'gpt-test',
+        prompt: 'must not persist',
+        routeToken: 'rt_secret_value',
+      },
+    });
+
+    assert.equal(posted.status, 200);
+    assert.equal(posted.body.ok, true);
+    assert.deepEqual(posted.body.gateway.forward, {
+      state: 'forwarded',
+      upstreamRequestId: 'gw_req_1',
+      acceptedAt: '2026-05-31T00:30:00.000Z',
+    });
+    assert.doesNotMatch(JSON.stringify(posted.body), /rt_secret_value|must not persist/);
+
+    const latest = await requestJson(service.port, '/agent/request-gateway/latest');
+    assert.deepEqual(latest.body.gateway.forward, posted.body.gateway.forward);
+
+    const saved = JSON.parse((await readFile(diagnosticsFile, 'utf8')).trim()) as Record<string, unknown>;
+    assert.deepEqual(saved.forward, posted.body.gateway.forward);
+  } finally {
+    await service.stop();
+    await rm(tempDir, { recursive: true, force: true });
+  }
+});
+
+test('local service exposes OpenAI-compatible models for Cursor native local agent', async () => {
+  const tempDir = await mkdtemp(join(tmpdir(), 'cursor-pool-service-openai-models-'));
+  const service = await startServer({
+    runtimeFile: join(tempDir, 'runtime.json'),
+    platformSessionFile: join(tempDir, 'missing-platform-session.json'),
+  });
+
+  try {
+    const response = await requestJson(service.port, '/models', {
+      headers: { authorization: 'Bearer cursor-pool-local' },
+    });
+
+    assert.equal(response.status, 200);
+    assert.equal(Array.isArray(response.body.data), true);
+    assert.equal(response.body.data[0].id, 'gpt-test');
+    assert.deepEqual(response.body.data[0].api_types, ['chat_completions']);
+    assert.equal(response.body.data[0].capabilities.supports_tool_use, true);
+    assert.equal(response.body.data[0].capabilities.supports_streaming, true);
+    assert.deepEqual(response.body.data[0].capabilities.output_modalities, ['text']);
+  } finally {
+    await service.stop();
+    await rm(tempDir, { recursive: true, force: true });
+  }
+});
+
+test('local service OpenAI-compatible chat completions forwards through platform gateway', async () => {
+  const tempDir = await mkdtemp(join(tmpdir(), 'cursor-pool-service-openai-chat-'));
+  const platformSessionFile = join(tempDir, 'platform-session.json');
+  const service = await startServer({
+    runtimeFile: join(tempDir, 'runtime.json'),
+    platformSessionFile,
+    gatewayForwarder: async (request) => {
+      assert.equal(request.routeToken, 'rt_secret_value');
+      assert.equal(request.poolSessionId, 'pool_session_1');
+      assert.equal(request.productId, 'prod_basic');
+      assert.equal(request.model, 'gpt-test');
+      assert.equal(request.gateway.source, 'cursor-agent-exec');
+      assert.equal(JSON.stringify(request.gateway).includes('create temp file'), false);
+      return {
+        state: 'forwarded',
+        upstreamRequestId: 'gw_req_openai_1',
+        acceptedAt: '2026-06-01T00:30:00.000Z',
+        routeExpiresAt: '2999-06-01T00:10:00.000Z',
+        content: '来自 native local agent 的号池回答',
+      };
+    },
+  });
+  await writeFile(
+    platformSessionFile,
+    `${JSON.stringify({
+      apiBaseUrl: 'http://127.0.0.1:9',
+      deviceToken: 'cp_dev_secret',
+      createdAt: '2026-06-01T00:00:00.000Z',
+      user: { id: 'usr_1', email: 'dev@example.com' },
+      device: { id: 'dev_1', status: 'active', lastHeartbeatAt: '2026-06-01T00:00:00.000Z' },
+      platformMode: 'active',
+      activeProductId: 'prod_basic',
+      platformModeStartedAt: '2026-06-01T00:05:00.000Z',
+      poolSession: {
+        id: 'pool_session_1',
+        productId: 'prod_basic',
+        providerType: 'development',
+        status: 'active',
+        startedAt: '2026-06-01T00:05:00.000Z',
+        expiresAt: '2999-06-01T00:20:00.000Z',
+        routeTokenExpiresAt: '2999-06-01T00:10:00.000Z',
+        routeStrategy: 'platform-gateway',
+        bannedModels: [],
+        capabilities: { streaming: false, usageEstimate: false, hardSpendLimit: false },
+      },
+      routeToken: {
+        token: 'rt_secret_value',
+        expiresAt: '2999-06-01T00:10:00.000Z',
+      },
+    }, null, 2)}\n`,
+    'utf8',
+  );
+
+  try {
+    const response = await requestJson(service.port, '/chat/completions', {
+      method: 'POST',
+      headers: { authorization: 'Bearer cursor-pool-local' },
+      body: {
+        model: 'gpt-test',
+        stream: false,
+        messages: [{ role: 'user', content: 'create temp file' }],
+        tools: [{ type: 'function', function: { name: 'edit_file' } }],
+      },
+    });
+
+    assert.equal(response.status, 200);
+    assert.equal(response.body.object, 'chat.completion');
+    assert.equal(response.body.model, 'gpt-test');
+    assert.equal(response.body.choices[0].message.role, 'assistant');
+    assert.equal(response.body.choices[0].message.content, '来自 native local agent 的号池回答');
+
+    const latest = await requestJson(service.port, '/agent/request-gateway/latest');
+    assert.equal(latest.body.gateway.forward.upstreamRequestId, 'gw_req_openai_1');
+    assert.doesNotMatch(JSON.stringify(latest.body), /create temp file|messages|rt_secret_value/);
+  } finally {
+    await service.stop();
+    await rm(tempDir, { recursive: true, force: true });
+  }
+});
+
+test('local service OpenAI-compatible chat completions completes settlement after client response', async () => {
+  const tempDir = await mkdtemp(join(tmpdir(), 'cursor-pool-service-openai-complete-'));
+  const platformSessionFile = join(tempDir, 'platform-session.json');
+  const calls: Array<{ url: string; body: Record<string, unknown> }> = [];
+  const platformApi = await createPlatformApiServer(async (request, response) => {
+    const chunks: Buffer[] = [];
+    for await (const chunk of request) {
+      chunks.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk));
+    }
+    const body = JSON.parse(Buffer.concat(chunks).toString('utf8')) as Record<string, unknown>;
+    calls.push({ url: request.url || '', body });
+
+    if (request.method === 'POST' && request.url === '/api/client/gateway/agent') {
+      writeJson(response, 200, {
+        state: 'forwarded',
+        upstreamRequestId: 'gw_req_openai_complete_1',
+        acceptedAt: '2026-06-01T00:30:00.000Z',
+        routeExpiresAt: '2999-06-01T00:10:00.000Z',
+        usageRequestId: 'ur_complete_1',
+        content: 'OK',
+      });
+      return;
+    }
+
+    if (request.method === 'POST' && request.url === '/api/client/gateway/agent/req-openai-complete/complete') {
+      writeJson(response, 200, {
+        state: 'charged',
+        usageRequestId: 'ur_complete_1',
+        chargeStatus: 'charged',
+        chargeCredits: 1,
+      });
+      return;
+    }
+
+    writeJson(response, 404, { ok: false });
+  });
+  const service = await startServer({
+    runtimeFile: join(tempDir, 'runtime.json'),
+    platformSessionFile,
+  });
+  await writeFile(
+    platformSessionFile,
+    `${JSON.stringify({
+      apiBaseUrl: platformApi.apiBaseUrl,
+      deviceToken: 'cp_dev_secret',
+      createdAt: '2026-06-01T00:00:00.000Z',
+      user: { id: 'usr_1', email: 'dev@example.com' },
+      device: { id: 'dev_1', status: 'active', lastHeartbeatAt: '2026-06-01T00:00:00.000Z' },
+      platformMode: 'active',
+      activeProductId: 'prod_basic',
+      platformModeStartedAt: '2026-06-01T00:05:00.000Z',
+      poolSession: {
+        id: 'pool_session_1',
+        productId: 'prod_basic',
+        providerType: 'development',
+        status: 'active',
+        startedAt: '2026-06-01T00:05:00.000Z',
+        expiresAt: '2999-06-01T00:20:00.000Z',
+        routeTokenExpiresAt: '2999-06-01T00:10:00.000Z',
+        routeStrategy: 'platform-gateway',
+        bannedModels: [],
+        capabilities: { streaming: false, usageEstimate: false, hardSpendLimit: false },
+      },
+      routeToken: {
+        token: 'rt_secret_value',
+        expiresAt: '2999-06-01T00:10:00.000Z',
+      },
+    }, null, 2)}\n`,
+    'utf8',
+  );
+
+  try {
+    const response = await requestJson(service.port, '/chat/completions', {
+      method: 'POST',
+      headers: { authorization: 'Bearer cursor-pool-local' },
+      body: {
+        requestId: 'req-openai-complete',
+        model: 'gpt-test',
+        stream: false,
+        messages: [{ role: 'user', content: '只回复 OK' }],
+      },
+    });
+
+    assert.equal(response.status, 200);
+    assert.equal(response.body.choices[0].message.content, 'OK');
+    assert.equal(calls[0].body.routeToken, 'rt_secret_value');
+    assert.equal(calls[0].body.poolSessionId, 'pool_session_1');
+    assert.equal(calls[0].body.productId, 'prod_basic');
+    assert.equal(calls[0].body.settlementMode, 'client_response');
+    assert.equal(await waitFor(() => calls.length >= 2), true);
+    assert.deepEqual(calls.map((call) => call.url), [
+      '/api/client/gateway/agent',
+      '/api/client/gateway/agent/req-openai-complete/complete',
+    ]);
+    assert.deepEqual(calls[1].body, {
+      routeToken: 'rt_secret_value',
+      poolSessionId: 'pool_session_1',
+      productId: 'prod_basic',
+    });
+  } finally {
+    await service.stop();
+    await platformApi.close();
+    await rm(tempDir, { recursive: true, force: true });
+  }
+});
+
+test('local service OpenAI-compatible chat completions skips settlement when client disconnects', async () => {
+  const tempDir = await mkdtemp(join(tmpdir(), 'cursor-pool-service-openai-disconnect-'));
+  const platformSessionFile = join(tempDir, 'platform-session.json');
+  const calls: Array<{ url: string; body: Record<string, unknown> }> = [];
+  const platformApi = await createPlatformApiServer(async (request, response) => {
+    const chunks: Buffer[] = [];
+    for await (const chunk of request) {
+      chunks.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk));
+    }
+    const body = chunks.length > 0
+      ? JSON.parse(Buffer.concat(chunks).toString('utf8')) as Record<string, unknown>
+      : {};
+    calls.push({ url: request.url || '', body });
+
+    if (request.method === 'POST' && request.url === '/api/client/gateway/agent') {
+      await new Promise((resolve) => setTimeout(resolve, 80));
+      writeJson(response, 200, {
+        state: 'forwarded',
+        upstreamRequestId: 'gw_req_openai_disconnect_1',
+        acceptedAt: '2026-06-01T00:30:00.000Z',
+        routeExpiresAt: '2999-06-01T00:10:00.000Z',
+        usageRequestId: 'ur_disconnect_1',
+        content: 'OK',
+      });
+      return;
+    }
+
+    if (request.method === 'POST' && request.url === '/api/client/gateway/agent/req-openai-disconnect/complete') {
+      writeJson(response, 200, {
+        state: 'charged',
+        usageRequestId: 'ur_disconnect_1',
+        chargeStatus: 'charged',
+        chargeCredits: 1,
+      });
+      return;
+    }
+
+    writeJson(response, 404, { ok: false });
+  });
+  const service = await startServer({
+    runtimeFile: join(tempDir, 'runtime.json'),
+    platformSessionFile,
+  });
+  await writeFile(
+    platformSessionFile,
+    `${JSON.stringify({
+      apiBaseUrl: platformApi.apiBaseUrl,
+      deviceToken: 'cp_dev_secret',
+      createdAt: '2026-06-01T00:00:00.000Z',
+      user: { id: 'usr_1', email: 'dev@example.com' },
+      device: { id: 'dev_1', status: 'active', lastHeartbeatAt: '2026-06-01T00:00:00.000Z' },
+      platformMode: 'active',
+      activeProductId: 'prod_basic',
+      platformModeStartedAt: '2026-06-01T00:05:00.000Z',
+      poolSession: {
+        id: 'pool_session_1',
+        productId: 'prod_basic',
+        providerType: 'real_http',
+        status: 'active',
+        startedAt: '2026-06-01T00:05:00.000Z',
+        expiresAt: '2999-06-01T00:20:00.000Z',
+        routeTokenExpiresAt: '2999-06-01T00:10:00.000Z',
+        routeStrategy: 'platform-gateway',
+        bannedModels: [],
+        capabilities: { streaming: false, usageEstimate: false, hardSpendLimit: false },
+      },
+      routeToken: {
+        token: 'rt_secret_value',
+        expiresAt: '2999-06-01T00:10:00.000Z',
+      },
+    }, null, 2)}\n`,
+    'utf8',
+  );
+
+  try {
+    await postJsonAndAbort(service.port, '/chat/completions', {
+      requestId: 'req-openai-disconnect',
+      model: 'gpt-test',
+      stream: false,
+      messages: [{ role: 'user', content: '只回复 OK' }],
+    });
+
+    assert.equal(await waitFor(() => calls.length >= 1), true);
+    await new Promise((resolve) => setTimeout(resolve, 150));
+    assert.deepEqual(calls.map((call) => call.url), ['/api/client/gateway/agent']);
+  } finally {
+    await service.stop();
+    await platformApi.close();
+    await rm(tempDir, { recursive: true, force: true });
+  }
+});
+
+test('local service OpenAI-compatible chat completions refreshes expired pool route before answering', async () => {
+  const tempDir = await mkdtemp(join(tmpdir(), 'cursor-pool-service-openai-refresh-route-'));
+  const platformSessionFile = join(tempDir, 'platform-session.json');
+  const service = await startServer({
+    runtimeFile: join(tempDir, 'runtime.json'),
+    platformSessionFile,
+    platformStartPoolSession: async () => ({
+      session: {
+        id: 'pool_session_fresh',
+        productId: 'prod_basic',
+        providerType: 'real_http',
+        status: 'active',
+        startedAt: '2026-06-01T00:31:00.000Z',
+        expiresAt: '2999-06-01T01:31:00.000Z',
+        routeTokenExpiresAt: '2999-06-01T00:46:00.000Z',
+        routeStrategy: 'platform-gateway',
+        bannedModels: [],
+        capabilities: { streaming: false, usageEstimate: false, hardSpendLimit: false },
+      },
+      routeToken: 'rt_fresh_value',
+    }),
+    gatewayForwarder: async (request) => {
+      assert.equal(request.routeToken, 'rt_fresh_value');
+      assert.equal(request.poolSessionId, 'pool_session_fresh');
+      return {
+        state: 'forwarded',
+        upstreamRequestId: 'gw_req_openai_fresh_1',
+        acceptedAt: '2026-06-01T00:31:10.000Z',
+        routeExpiresAt: '2999-06-01T00:46:00.000Z',
+        content: 'OK',
+      };
+    },
+  });
+  await writeFile(
+    platformSessionFile,
+    `${JSON.stringify({
+      apiBaseUrl: 'http://127.0.0.1:9',
+      deviceToken: 'cp_dev_secret',
+      createdAt: '2026-06-01T00:00:00.000Z',
+      user: { id: 'usr_1', email: 'dev@example.com' },
+      device: { id: 'dev_1', status: 'active', lastHeartbeatAt: '2026-06-01T00:00:00.000Z' },
+      selectedProductId: 'prod_basic',
+      platformMode: 'active',
+      activeProductId: 'prod_basic',
+      platformModeStartedAt: '2026-06-01T00:05:00.000Z',
+      poolSession: {
+        id: 'pool_session_expired',
+        productId: 'prod_basic',
+        providerType: 'real_http',
+        status: 'active',
+        startedAt: '2026-06-01T00:05:00.000Z',
+        expiresAt: '2999-06-01T00:20:00.000Z',
+        routeTokenExpiresAt: '2026-06-01T00:10:00.000Z',
+        routeStrategy: 'platform-gateway',
+        bannedModels: [],
+        capabilities: { streaming: false, usageEstimate: false, hardSpendLimit: false },
+      },
+      routeToken: {
+        token: 'rt_expired_value',
+        expiresAt: '2026-06-01T00:10:00.000Z',
+      },
+    }, null, 2)}\n`,
+    'utf8',
+  );
+
+  try {
+    const response = await requestJson(service.port, '/chat/completions', {
+      method: 'POST',
+      headers: { authorization: 'Bearer cursor-pool-local' },
+      body: {
+        model: 'gpt-test',
+        stream: false,
+        messages: [{ role: 'user', content: '只回复 OK' }],
+      },
+    });
+
+    assert.equal(response.status, 200);
+    assert.equal(response.body.choices[0].message.content, 'OK');
+
+    const latest = await requestJson(service.port, '/agent/request-gateway/latest');
+    assert.equal(latest.body.gateway.forward.upstreamRequestId, 'gw_req_openai_fresh_1');
+  } finally {
+    await service.stop();
+    await rm(tempDir, { recursive: true, force: true });
+  }
+});
+
+test('local service OpenAI-compatible chat completions rejects instead of answering when platform mode is inactive', async () => {
+  const tempDir = await mkdtemp(join(tmpdir(), 'cursor-pool-service-openai-inactive-'));
+  const service = await startServer({
+    runtimeFile: join(tempDir, 'runtime.json'),
+    platformSessionFile: join(tempDir, 'missing-platform-session.json'),
+  });
+
+  try {
+    const response = await requestJson(service.port, '/chat/completions', {
+      method: 'POST',
+      headers: { authorization: 'Bearer cursor-pool-local' },
+      body: {
+        model: 'gpt-test',
+        stream: false,
+        messages: [{ role: 'user', content: '你好' }],
+      },
+    });
+
+    assert.equal(response.status, 409);
+    assert.deepEqual(response.body, {
+      error: {
+        message: 'Cursor Pool platform mode is inactive; use the official Cursor path.',
+        type: 'cursor_pool_bypass',
+        code: 'cursor_pool_bypass',
+      },
+    });
+  } finally {
+    await service.stop();
+    await rm(tempDir, { recursive: true, force: true });
+  }
+});
+
+test('local service OpenAI-compatible chat completions answers fail-closed when provider needs manual review', async () => {
+  const tempDir = await mkdtemp(join(tmpdir(), 'cursor-pool-service-openai-manual-review-'));
+  const platformSessionFile = join(tempDir, 'platform-session.json');
+  const service = await startServer({
+    runtimeFile: join(tempDir, 'runtime.json'),
+    platformSessionFile,
+    gatewayForwarder: async () => ({
+      state: 'rejected',
+      reason: 'manual-review-required',
+    }),
+  });
+  await writeFile(
+    platformSessionFile,
+    `${JSON.stringify({
+      apiBaseUrl: 'http://127.0.0.1:9',
+      deviceToken: 'cp_dev_secret',
+      createdAt: '2026-06-01T00:00:00.000Z',
+      user: { id: 'usr_1', email: 'dev@example.com' },
+      device: { id: 'dev_1', status: 'active', lastHeartbeatAt: '2026-06-01T00:00:00.000Z' },
+      platformMode: 'active',
+      activeProductId: 'prod_basic',
+      platformModeStartedAt: '2026-06-01T00:05:00.000Z',
+      poolSession: {
+        id: 'pool_session_1',
+        productId: 'prod_basic',
+        providerType: 'development',
+        status: 'active',
+        startedAt: '2026-06-01T00:05:00.000Z',
+        expiresAt: '2999-06-01T00:20:00.000Z',
+        routeTokenExpiresAt: '2999-06-01T00:10:00.000Z',
+        routeStrategy: 'platform-gateway',
+        bannedModels: [],
+        capabilities: { streaming: false, usageEstimate: false, hardSpendLimit: false },
+      },
+      routeToken: {
+        token: 'rt_secret_value',
+        expiresAt: '2999-06-01T00:10:00.000Z',
+      },
+    }, null, 2)}\n`,
+    'utf8',
+  );
+
+  try {
+    const response = await requestJson(service.port, '/chat/completions', {
+      method: 'POST',
+      headers: { authorization: 'Bearer cursor-pool-local' },
+      body: {
+        model: 'gpt-test',
+        stream: false,
+        messages: [{ role: 'user', content: 'two sum' }],
+      },
+    });
+
+    assert.equal(response.status, 200);
+    assert.equal(response.body.object, 'chat.completion');
+    assert.match(response.body.choices[0].message.content, /号池 provider 未就绪/);
+
+    const latest = await requestJson(service.port, '/agent/request-gateway/latest');
+    assert.deepEqual(latest.body.gateway.forward, {
+      state: 'rejected',
+      reason: 'manual-review-required',
+    });
+  } finally {
+    await service.stop();
+    await rm(tempDir, { recursive: true, force: true });
+  }
+});
+
+test('local service OpenAI-compatible chat completions passes raw request only to gateway forwarder', async () => {
+  const tempDir = await mkdtemp(join(tmpdir(), 'cursor-pool-service-openai-raw-forwarder-'));
+  const platformSessionFile = join(tempDir, 'platform-session.json');
+  const service = await startServer({
+    runtimeFile: join(tempDir, 'runtime.json'),
+    platformSessionFile,
+    gatewayForwarder: async (request) => {
+      assert.deepEqual(request.openAiRequest, {
+        model: 'gpt-test',
+        stream: false,
+        messages: [{ role: 'user', content: 'create temp file' }],
+        tools: [{ type: 'function', function: { name: 'edit_file' } }],
+      });
+      return {
+        state: 'forwarded',
+        upstreamRequestId: 'gw_req_openai_raw_1',
+        acceptedAt: '2026-06-01T00:30:00.000Z',
+        routeExpiresAt: '2999-06-01T00:10:00.000Z',
+        openAiResponse: {
+          id: 'chatcmpl-provider-tool',
+          object: 'chat.completion',
+          created: 1780306600,
+          model: 'gpt-test',
+          choices: [
+            {
+              index: 0,
+              message: {
+                role: 'assistant',
+                content: null,
+                tool_calls: [
+                  {
+                    id: 'call_1',
+                    type: 'function',
+                    function: {
+                      name: 'edit_file',
+                      arguments: '{"path":"tmp/cursor-pool-agent-test.txt"}',
+                    },
+                  },
+                ],
+              },
+              finish_reason: 'tool_calls',
+            },
+          ],
+        },
+      };
+    },
+  });
+  await writeFile(
+    platformSessionFile,
+    `${JSON.stringify({
+      apiBaseUrl: 'http://127.0.0.1:9',
+      deviceToken: 'cp_dev_secret',
+      createdAt: '2026-06-01T00:00:00.000Z',
+      user: { id: 'usr_1', email: 'dev@example.com' },
+      device: { id: 'dev_1', status: 'active', lastHeartbeatAt: '2026-06-01T00:00:00.000Z' },
+      platformMode: 'active',
+      activeProductId: 'prod_basic',
+      platformModeStartedAt: '2026-06-01T00:05:00.000Z',
+      poolSession: {
+        id: 'pool_session_1',
+        productId: 'prod_basic',
+        providerType: 'development',
+        status: 'active',
+        startedAt: '2026-06-01T00:05:00.000Z',
+        expiresAt: '2999-06-01T00:20:00.000Z',
+        routeTokenExpiresAt: '2999-06-01T00:10:00.000Z',
+        routeStrategy: 'platform-gateway',
+        bannedModels: [],
+        capabilities: { streaming: false, usageEstimate: false, hardSpendLimit: false },
+      },
+      routeToken: {
+        token: 'rt_secret_value',
+        expiresAt: '2999-06-01T00:10:00.000Z',
+      },
+    }, null, 2)}\n`,
+    'utf8',
+  );
+
+  try {
+    const response = await requestJson(service.port, '/chat/completions', {
+      method: 'POST',
+      headers: { authorization: 'Bearer cursor-pool-local' },
+      body: {
+        model: 'gpt-test',
+        stream: false,
+        messages: [{ role: 'user', content: 'create temp file' }],
+        tools: [{ type: 'function', function: { name: 'edit_file' } }],
+      },
+    });
+
+    assert.equal(response.status, 200);
+    assert.equal(response.body.choices[0].message.tool_calls[0].function.name, 'edit_file');
+
+    const latest = await requestJson(service.port, '/agent/request-gateway/latest');
+    assert.equal(latest.body.gateway.forward.upstreamRequestId, 'gw_req_openai_raw_1');
+    assert.doesNotMatch(JSON.stringify(latest.body), /create temp file|messages|edit_file|tool_calls/);
+  } finally {
+    await service.stop();
+    await rm(tempDir, { recursive: true, force: true });
+  }
+});
+
+test('local service OpenAI-compatible chat completions supports Cursor streaming mode', async () => {
+  const tempDir = await mkdtemp(join(tmpdir(), 'cursor-pool-service-openai-stream-'));
+  const platformSessionFile = join(tempDir, 'platform-session.json');
+  const service = await startServer({
+    runtimeFile: join(tempDir, 'runtime.json'),
+    platformSessionFile,
+    gatewayForwarder: async () => ({
+      state: 'forwarded',
+      upstreamRequestId: 'gw_req_stream_1',
+      acceptedAt: '2026-06-01T00:30:00.000Z',
+      routeExpiresAt: '2999-06-01T00:10:00.000Z',
+      content: 'streamed provider answer',
+    }),
+  });
+  await writeFile(
+    platformSessionFile,
+    `${JSON.stringify({
+      apiBaseUrl: 'http://127.0.0.1:9',
+      deviceToken: 'cp_dev_secret',
+      createdAt: '2026-06-01T00:00:00.000Z',
+      user: { id: 'usr_1', email: 'dev@example.com' },
+      device: { id: 'dev_1', status: 'active', lastHeartbeatAt: '2026-06-01T00:00:00.000Z' },
+      platformMode: 'active',
+      activeProductId: 'prod_basic',
+      platformModeStartedAt: '2026-06-01T00:05:00.000Z',
+      poolSession: {
+        id: 'pool_session_1',
+        productId: 'prod_basic',
+        providerType: 'development',
+        status: 'active',
+        startedAt: '2026-06-01T00:05:00.000Z',
+        expiresAt: '2999-06-01T00:20:00.000Z',
+        routeTokenExpiresAt: '2999-06-01T00:10:00.000Z',
+        routeStrategy: 'platform-gateway',
+        bannedModels: [],
+        capabilities: { streaming: false, usageEstimate: false, hardSpendLimit: false },
+      },
+      routeToken: {
+        token: 'rt_secret_value',
+        expiresAt: '2999-06-01T00:10:00.000Z',
+      },
+    }, null, 2)}\n`,
+    'utf8',
+  );
+
+  try {
+    const response = await requestText(service.port, '/chat/completions', {
+      method: 'POST',
+      headers: { authorization: 'Bearer cursor-pool-local' },
+      body: {
+        model: 'gpt-test',
+        stream: true,
+        messages: [{ role: 'user', content: 'stream smoke' }],
+      },
+    });
+
+    assert.equal(response.status, 200);
+    assert.match(response.text, /^data: /);
+    assert.match(response.text, /"object":"chat.completion.chunk"/);
+    assert.match(response.text, /"content":"streamed provider answer"/);
+    assert.match(response.text, /data: \[DONE\]/);
+  } finally {
+    await service.stop();
+    await rm(tempDir, { recursive: true, force: true });
+  }
+});
+
+test('local service request-gateway does not call forwarder for non-accepted decisions', async () => {
+  const tempDir = await mkdtemp(join(tmpdir(), 'cursor-pool-service-gateway-'));
+  let calls = 0;
+  const service = await startServer({
+    runtimeFile: join(tempDir, 'runtime.json'),
+    platformSessionFile: join(tempDir, 'missing-platform-session.json'),
+    gatewayForwarder: async () => {
+      calls += 1;
+      return {
+        state: 'forwarded',
+        upstreamRequestId: 'gw_req_1',
+        acceptedAt: '2026-05-31T00:30:00.000Z',
+        routeExpiresAt: '2999-05-31T00:10:00.000Z',
+      };
+    },
+  });
+
+  try {
+    const posted = await requestJson(service.port, '/agent/request-gateway', {
+      method: 'POST',
+      body: {
+        requestId: 'req-gateway-1',
+        source: 'manual-check',
+        model: 'gpt-test',
+      },
+    });
+
+    assert.equal(posted.status, 200);
+    assert.equal(posted.body.ok, false);
+    assert.equal(calls, 0);
+    assert.deepEqual(posted.body.gateway.forward, { state: 'skipped', reason: 'not-accepted' });
+  } finally {
+    await service.stop();
+    await rm(tempDir, { recursive: true, force: true });
+  }
+});
+
+test('local service request-gateway rejects unsafe request id before response and diagnostics', async () => {
+  const tempDir = await mkdtemp(join(tmpdir(), 'cursor-pool-service-gateway-'));
+  const diagnosticsFile = join(tempDir, 'diagnostics.jsonl');
+  const service = await startServer({
+    runtimeFile: join(tempDir, 'runtime.json'),
+    platformSessionFile: join(tempDir, 'missing-platform-session.json'),
+    diagnosticsFile,
+  });
+
+  try {
+    const posted = await requestJson(service.port, '/agent/request-gateway', {
+      method: 'POST',
+      body: {
+        requestId: 'req-1 apiKey=secret',
+        source: 'manual-check',
+        model: 'gpt-test',
+      },
+    });
+
+    assert.equal(posted.status, 200);
+    assert.equal(posted.body.ok, false);
+    assert.notEqual(posted.body.gateway.requestId, 'req-1 apiKey=secret');
+    assert.doesNotMatch(JSON.stringify(posted.body), /apiKey|secret/);
+
+    const latest = await requestJson(service.port, '/agent/request-gateway/latest');
+    assert.deepEqual(latest.body, { ok: true, gateway: posted.body.gateway });
+    assert.doesNotMatch(JSON.stringify(latest.body), /apiKey|secret/);
+
+    const saved = JSON.parse((await readFile(diagnosticsFile, 'utf8')).trim()) as Record<string, unknown>;
+    assert.equal(saved.kind, 'agent-request-gateway');
+    assert.equal(saved.requestId, posted.body.gateway.requestId);
+    assert.doesNotMatch(JSON.stringify(saved), /apiKey|secret/);
+  } finally {
+    await service.stop();
+    await rm(tempDir, { recursive: true, force: true });
+  }
+});
+
+test('local service request-gateway returns route-missing and latest state', async () => {
+  const tempDir = await mkdtemp(join(tmpdir(), 'cursor-pool-service-gateway-'));
+  const platformSessionFile = join(tempDir, 'platform-session.json');
+  const service = await startServer({
+    runtimeFile: join(tempDir, 'runtime.json'),
+    platformSessionFile,
+  });
+  await writeFile(
+    platformSessionFile,
+    `${JSON.stringify({
+      apiBaseUrl: 'http://127.0.0.1:9',
+      deviceToken: 'cp_dev_secret',
+      createdAt: '2026-05-31T00:00:00.000Z',
+      user: { id: 'usr_1', email: 'dev@example.com' },
+      device: { id: 'dev_1', status: 'active', lastHeartbeatAt: '2026-05-31T00:00:00.000Z' },
+      platformMode: 'active',
+      activeProductId: 'prod_basic',
+      platformModeStartedAt: '2026-05-31T00:05:00.000Z',
+    }, null, 2)}\n`,
+    'utf8',
+  );
+
+  try {
+    const initial = await requestJson(service.port, '/agent/request-gateway/latest');
+    assert.deepEqual(initial.body, { ok: true, gateway: null });
+
+    const posted = await requestJson(service.port, '/agent/request-gateway', {
+      method: 'POST',
+      body: { requestId: 'req-gateway-missing', source: 'manual-check' },
+    });
+
+    assert.equal(posted.status, 200);
+    assert.equal(posted.body.ok, false);
+    assert.deepEqual(posted.body.gateway.decision, {
+      state: 'route-missing',
+      productId: 'prod_basic',
+      modeStartedAt: '2026-05-31T00:05:00.000Z',
+      route: { state: 'missing' },
+    });
+
+    const latest = await requestJson(service.port, '/agent/request-gateway/latest');
+    assert.deepEqual(latest.body, { ok: true, gateway: posted.body.gateway });
+  } finally {
+    await service.stop();
+    await rm(tempDir, { recursive: true, force: true });
+  }
+});
+
+test('local service request-gateway returns blocked decision for logged-out session', async () => {
+  const tempDir = await mkdtemp(join(tmpdir(), 'cursor-pool-service-gateway-'));
+  const service = await startServer({
+    runtimeFile: join(tempDir, 'runtime.json'),
+    platformSessionFile: join(tempDir, 'missing-platform-session.json'),
+  });
+
+  try {
+    const posted = await requestJson(service.port, '/agent/request-gateway', {
+      method: 'POST',
+      body: { requestId: 'req-gateway-logged-out', model: 'sk-live-secret-token' },
+    });
+
+    assert.equal(posted.status, 200);
+    assert.equal(posted.body.ok, false);
+    assert.equal(posted.body.gateway.model, 'unknown');
+    assert.deepEqual(posted.body.gateway.decision, {
+      state: 'blocked',
+      reason: 'logged-out',
+      route: { state: 'missing' },
+    });
+  } finally {
+    await service.stop();
+    await rm(tempDir, { recursive: true, force: true });
+  }
+});
+
+test('local service request-gateway returns route-expired decision', async () => {
+  const tempDir = await mkdtemp(join(tmpdir(), 'cursor-pool-service-gateway-'));
+  const platformSessionFile = join(tempDir, 'platform-session.json');
+  const service = await startServer({
+    runtimeFile: join(tempDir, 'runtime.json'),
+    platformSessionFile,
+  });
+  await writeFile(
+    platformSessionFile,
+    `${JSON.stringify({
+      apiBaseUrl: 'http://127.0.0.1:9',
+      deviceToken: 'cp_dev_secret',
+      createdAt: '2026-05-31T00:00:00.000Z',
+      user: { id: 'usr_1', email: 'dev@example.com' },
+      device: { id: 'dev_1', status: 'active', lastHeartbeatAt: '2026-05-31T00:00:00.000Z' },
+      platformMode: 'active',
+      activeProductId: 'prod_basic',
+      platformModeStartedAt: '2026-05-31T00:05:00.000Z',
+      routeToken: {
+        token: 'rt_secret_value',
+        expiresAt: '2000-01-01T00:00:00.000Z',
+      },
+    }, null, 2)}\n`,
+    'utf8',
+  );
+
+  try {
+    const posted = await requestJson(service.port, '/agent/request-gateway', {
+      method: 'POST',
+      body: { requestId: 'req-gateway-expired', source: 'manual-check' },
+    });
+
+    assert.equal(posted.status, 200);
+    assert.equal(posted.body.ok, false);
+    assert.deepEqual(posted.body.gateway.decision, {
+      state: 'route-expired',
+      productId: 'prod_basic',
+      modeStartedAt: '2026-05-31T00:05:00.000Z',
+      route: { state: 'expired', expiresAt: '2000-01-01T00:00:00.000Z' },
+    });
+    assert.doesNotMatch(JSON.stringify(posted.body), /rt_secret_value|routeToken/);
+  } finally {
+    await service.stop();
+    await rm(tempDir, { recursive: true, force: true });
+  }
+});
+
+test('local service request-gateway rejects invalid JSON', async () => {
+  const tempDir = await mkdtemp(join(tmpdir(), 'cursor-pool-service-gateway-'));
+  const service = await startServer({ runtimeFile: join(tempDir, 'runtime.json') });
+
+  try {
+    const response = await fetch(`http://127.0.0.1:${service.port}/agent/request-gateway`, {
+      method: 'POST',
+      headers: { 'content-type': 'application/json' },
+      body: '{not-json',
+    });
+    const body = await response.json();
+
+    assert.equal(response.status, 400);
+    assert.deepEqual(body, { ok: false, error: 'invalid request' });
+  } finally {
+    await service.stop();
+    await rm(tempDir, { recursive: true, force: true });
+  }
+});
+
+test('local service keeps request-gateway available when diagnostics write fails', async () => {
+  const tempDir = await mkdtemp(join(tmpdir(), 'cursor-pool-service-gateway-'));
+  const service = await startServer({
+    runtimeFile: join(tempDir, 'runtime.json'),
+    platformSessionFile: join(tempDir, 'missing-platform-session.json'),
+    diagnosticsFile: tempDir,
+  });
+
+  try {
+    const posted = await requestJson(service.port, '/agent/request-gateway', {
+      method: 'POST',
+      body: { requestId: 'req-gateway-1' },
+    });
+
+    assert.equal(posted.status, 200);
+    assert.equal(posted.body.ok, false);
+    assert.equal(posted.body.gateway.requestId, 'req-gateway-1');
+    assert.deepEqual(posted.body.gateway.decision, {
+      state: 'blocked',
+      reason: 'logged-out',
+      route: { state: 'missing' },
+    });
+  } finally {
+    await service.stop();
+    await rm(tempDir, { recursive: true, force: true });
+  }
+});
+
+test('local service returns release reason from platform status route', async () => {
+  const tempDir = await mkdtemp(join(tmpdir(), 'cursor-pool-service-'));
+  const sessionFile = join(tempDir, 'session.json');
+  const service = await startServer({ platformSessionFile: sessionFile });
+  await writeFile(
+    sessionFile,
+    `${JSON.stringify({
+      apiBaseUrl: 'http://127.0.0.1:9',
+      deviceToken: 'cp_dev_secret',
+      createdAt: '2026-05-31T00:00:00.000Z',
+      user: { id: 'usr_1', email: 'dev@example.com' },
+      device: { id: 'dev_1', status: 'active', lastHeartbeatAt: '2026-05-31T00:00:00.000Z' },
+      lastModeReleaseReason: 'invalid-token',
+      lastModeReleasedAt: '2026-05-31T00:05:00.000Z',
+    }, null, 2)}\n`,
+    'utf8',
+  );
+
+  try {
+    const response = await fetch(`http://${service.host}:${service.port}/platform/status`);
+    const body = await response.json() as {
+      state: string;
+      mode?: { state: string; releaseReason?: string; releasedAt?: string };
+    };
+
+    assert.equal(response.status, 200);
+    assert.equal(body.state, 'offline');
+    assert.deepEqual(body.mode, {
+      state: 'inactive',
+      releaseReason: 'invalid-token',
+      releasedAt: '2026-05-31T00:05:00.000Z',
+    });
+  } finally {
+    await service.stop();
+    await rm(tempDir, { recursive: true, force: true });
+  }
+});
+
+test('startServer finds a free loopback port when the requested port is busy', async () => {
+  const occupied = createNodeServer();
+  await new Promise<void>((resolve) => {
+    occupied.listen(0, '127.0.0.1', resolve);
+  });
+  const address = occupied.address();
+  assert.equal(typeof address, 'object');
+  const occupiedPort = address?.port as number;
+
+  const tempDir = await mkdtemp(join(tmpdir(), 'cursor-pool-service-'));
+  const service = await startServer({
+    port: occupiedPort,
+    runtimeFile: join(tempDir, 'runtime.json'),
+  });
+
+  try {
+    assert.equal(service.host, '127.0.0.1');
+    assert.notEqual(service.port, occupiedPort);
+    const health = await requestJson(service.port, '/health');
+    assert.equal(health.body.ok, true);
+  } finally {
+    await service.stop();
+    await new Promise<void>((resolve, reject) => {
+      occupied.close((error) => (error ? reject(error) : resolve()));
+    });
+    await rm(tempDir, { recursive: true, force: true });
+  }
+});
+
+test('startServer uses the stable Cursor workbench takeover port by default', async () => {
+  const tempDir = await mkdtemp(join(tmpdir(), 'cursor-pool-service-default-port-'));
+  const portProbe = createNodeServer((_request, response) => {
+    response.end('occupied');
+  });
+  const stablePortAvailable = await new Promise<boolean>((resolve) => {
+    portProbe.once('error', () => resolve(false));
+    portProbe.listen(56393, '127.0.0.1', () => resolve(true));
+  });
+  if (stablePortAvailable) {
+    await new Promise<void>((resolve, reject) => {
+      portProbe.close((error) => (error ? reject(error) : resolve()));
+    });
+  }
+  const service = await startServer({
+    runtimeFile: join(tempDir, 'runtime.json'),
+  });
+
+  try {
+    assert.equal(service.host, '127.0.0.1');
+    if (stablePortAvailable) {
+      assert.equal(service.port, 56393);
+    } else {
+      assert.notEqual(service.port, 56393);
+    }
+    const health = await requestJson(service.port, '/health');
+    assert.equal(health.status, 200);
+    assert.equal(health.body.port, service.port);
+  } finally {
+    await service.stop();
+    await rm(tempDir, { recursive: true, force: true });
+  }
+});