@cursorpool-dev/cli 0.5.6

package/test/diagnostics.test.ts

@@ -0,0 +1,709 @@
+import assert from 'node:assert/strict';
+import { mkdir, mkdtemp, readFile, rm, writeFile } from 'node:fs/promises';
+import { tmpdir } from 'node:os';
+import { dirname, join } from 'node:path';
+import test from 'node:test';
+import { clearDiagnostics, diagnostics } from '../src/diagnostics';
+
+const blockedGate = { state: 'blocked' as const, reason: 'logged-out' };
+
+const record = (requestId: string) => ({
+  requestId,
+  requestType: 'agent',
+  source: 'cursor-agent-exec',
+  model: 'unknown',
+  receivedAt: `2026-05-30T00:00:0${requestId}.000Z`,
+  runtimeId: 'runtime-1',
+  gate: blockedGate,
+});
+
+const requestCheckRecord = (requestId: string) => ({
+  kind: 'agent-request-check',
+  requestId,
+  requestType: 'agent',
+  source: 'cursor-agent-exec',
+  model: 'unknown',
+  receivedAt: `2026-05-31T00:00:0${requestId}.000Z`,
+  runtimeId: 'runtime-1',
+  decision: blockedGate,
+  route: { state: 'missing' as const },
+});
+
+const gatewayRecord = (requestId: string) => ({
+  kind: 'agent-request-gateway',
+  requestId,
+  requestType: 'agent',
+  source: 'cursor-agent-exec',
+  model: 'gpt-test',
+  receivedAt: `2026-05-31T00:20:0${requestId}.000Z`,
+  runtimeId: 'runtime-1',
+  decision: {
+    state: 'accepted',
+    productId: 'prod_basic',
+    modeStartedAt: '2026-05-31T00:05:00.000Z',
+    route: { state: 'ready', expiresAt: '2999-05-31T00:10:00.000Z' },
+  },
+  forward: { state: 'not-configured' },
+});
+
+const legacyRecord = (requestId: string) => {
+  const { gate: _gate, ...legacy } = record(requestId);
+  return legacy;
+};
+
+async function writeDiagnosticsFile(diagnosticsFile: string, lines: string[]) {
+  await mkdir(dirname(diagnosticsFile), { recursive: true });
+  await writeFile(diagnosticsFile, `${lines.join('\n')}\n`, 'utf8');
+}
+
+test('diagnostics reports missing when the diagnostics file does not exist', async () => {
+  const tempDir = await mkdtemp(join(tmpdir(), 'cursor-pool-cli-diagnostics-'));
+  const diagnosticsFile = join(tempDir, 'missing.jsonl');
+
+  try {
+    assert.equal(await diagnostics({ diagnosticsFile }), 'diagnostics: missing');
+  } finally {
+    await rm(tempDir, { recursive: true, force: true });
+  }
+});
+
+test('diagnostics reports empty when the diagnostics file has no valid entries', async () => {
+  const tempDir = await mkdtemp(join(tmpdir(), 'cursor-pool-cli-diagnostics-'));
+  const diagnosticsFile = join(tempDir, 'diagnostics.jsonl');
+
+  try {
+    await writeDiagnosticsFile(diagnosticsFile, [
+      '',
+      'not-json',
+      JSON.stringify({ requestId: 1 }),
+    ]);
+
+    assert.equal(await diagnostics({ diagnosticsFile }), 'diagnostics: empty');
+  } finally {
+    await rm(tempDir, { recursive: true, force: true });
+  }
+});
+
+test('diagnostics displays the most recent sanitized entries', async () => {
+  const tempDir = await mkdtemp(join(tmpdir(), 'cursor-pool-cli-diagnostics-'));
+  const diagnosticsFile = join(tempDir, 'diagnostics.jsonl');
+
+  try {
+    await writeDiagnosticsFile(diagnosticsFile, [
+      JSON.stringify(record('1')),
+      JSON.stringify({ ...record('2'), prompt: 'do not print', apiKey: 'secret' }),
+      JSON.stringify(record('3')),
+    ]);
+
+    const output = await diagnostics({ diagnosticsFile, limit: 2 });
+
+    assert.match(output, /^diagnostics: 2 entries\n/);
+    assert.doesNotMatch(output, /req-1|requestId=1/);
+    assert.match(
+      output,
+      /requestId=2 source=cursor-agent-exec requestType=agent model=unknown runtimeId=runtime-1 gate=blocked reason=logged-out/,
+    );
+    assert.match(
+      output,
+      /requestId=3 source=cursor-agent-exec requestType=agent model=unknown runtimeId=runtime-1 gate=blocked reason=logged-out/,
+    );
+    assert.doesNotMatch(output, /do not print|apiKey|secret|prompt/);
+  } finally {
+    await rm(tempDir, { recursive: true, force: true });
+  }
+});
+
+test('diagnostics displays allowed gate details in human and JSON output', async () => {
+  const tempDir = await mkdtemp(join(tmpdir(), 'cursor-pool-cli-diagnostics-'));
+  const diagnosticsFile = join(tempDir, 'diagnostics.jsonl');
+  const gate = {
+    state: 'allowed' as const,
+    productId: 'prod_basic',
+    modeStartedAt: '2026-05-31T00:05:00.000Z',
+  };
+
+  try {
+    await writeDiagnosticsFile(diagnosticsFile, [JSON.stringify({ ...record('1'), gate })]);
+
+    const humanOutput = await diagnostics({ diagnosticsFile });
+    const jsonOutput = await diagnostics({ diagnosticsFile, json: true });
+    const parsed = JSON.parse(jsonOutput) as Array<Record<string, unknown>>;
+
+    assert.match(humanOutput, /gate=allowed productId=prod_basic/);
+    assert.deepEqual(parsed, [{ kind: 'agent-canary', ...record('1'), gate }]);
+  } finally {
+    await rm(tempDir, { recursive: true, force: true });
+  }
+});
+
+test('diagnostics can emit sanitized JSON output', async () => {
+  const tempDir = await mkdtemp(join(tmpdir(), 'cursor-pool-cli-diagnostics-'));
+  const diagnosticsFile = join(tempDir, 'diagnostics.jsonl');
+
+  try {
+    await writeDiagnosticsFile(diagnosticsFile, [
+      JSON.stringify({ ...record('1'), messages: [{ role: 'user', content: 'secret' }] }),
+    ]);
+
+    const output = await diagnostics({ diagnosticsFile, json: true });
+    const parsed = JSON.parse(output) as Array<Record<string, unknown>>;
+
+    assert.deepEqual(parsed, [{ kind: 'agent-canary', ...record('1') }]);
+    assert.equal(Object.hasOwn(parsed[0], 'messages'), false);
+  } finally {
+    await rm(tempDir, { recursive: true, force: true });
+  }
+});
+
+test('diagnostics accepts old-format records without gate as unknown', async () => {
+  const tempDir = await mkdtemp(join(tmpdir(), 'cursor-pool-cli-diagnostics-'));
+  const diagnosticsFile = join(tempDir, 'diagnostics.jsonl');
+
+  try {
+    await writeDiagnosticsFile(diagnosticsFile, [JSON.stringify(legacyRecord('1'))]);
+
+    const output = await diagnostics({ diagnosticsFile });
+    const parsed = JSON.parse(await diagnostics({ diagnosticsFile, json: true }));
+
+    assert.match(output, /gate=unknown/);
+    assert.deepEqual(parsed, [
+      { kind: 'agent-canary', ...legacyRecord('1'), gate: { state: 'unknown' } },
+    ]);
+  } finally {
+    await rm(tempDir, { recursive: true, force: true });
+  }
+});
+
+test('diagnostics rejects malicious allowlisted values before output', async () => {
+  const tempDir = await mkdtemp(join(tmpdir(), 'cursor-pool-cli-diagnostics-'));
+  const diagnosticsFile = join(tempDir, 'diagnostics.jsonl');
+
+  try {
+    await writeDiagnosticsFile(diagnosticsFile, [
+      JSON.stringify({
+        ...record('1'),
+        requestId: 'req-1\nheaders=secret body=secret filePath=/private prompt=leak',
+      }),
+      JSON.stringify({
+        ...record('2'),
+        model: 'unknown\rauthorization=secret cookie=secret',
+      }),
+      JSON.stringify(record('3')),
+    ]);
+
+    const output = await diagnostics({ diagnosticsFile });
+    const parsed = JSON.parse(await diagnostics({ diagnosticsFile, json: true }));
+
+    assert.match(output, /^diagnostics: 2 entries\n/);
+    assert.match(output, /requestId=2 .*model=unknown/);
+    assert.match(output, /requestId=3/);
+    assert.doesNotMatch(
+      output,
+      /headers|body|filePath|prompt|authorization|cookie|secret|private|leak/,
+    );
+    assert.deepEqual(parsed, [
+      { kind: 'agent-canary', ...record('2'), model: 'unknown' },
+      { kind: 'agent-canary', ...record('3') },
+    ]);
+  } finally {
+    await rm(tempDir, { recursive: true, force: true });
+  }
+});
+
+test('diagnostics rejects same-line injected identity metadata before output', async () => {
+  const tempDir = await mkdtemp(join(tmpdir(), 'cursor-pool-cli-diagnostics-'));
+  const diagnosticsFile = join(tempDir, 'diagnostics.jsonl');
+
+  try {
+    await writeDiagnosticsFile(diagnosticsFile, [
+      JSON.stringify({
+        ...requestCheckRecord('1'),
+        requestId: 'req-1 apiKey=secret',
+      }),
+      JSON.stringify({
+        ...gatewayRecord('2'),
+        runtimeId: 'runtime-1 token=secret',
+      }),
+      JSON.stringify(record('3')),
+    ]);
+
+    const output = await diagnostics({ diagnosticsFile });
+    const parsed = JSON.parse(await diagnostics({ diagnosticsFile, json: true }));
+
+    assert.match(output, /^diagnostics: 1 entry\n/);
+    assert.match(output, /requestId=3/);
+    assert.doesNotMatch(output, /req-1 apiKey=secret|runtime-1 token=secret|apiKey|token|secret/);
+    assert.deepEqual(parsed, [{ kind: 'agent-canary', ...record('3') }]);
+  } finally {
+    await rm(tempDir, { recursive: true, force: true });
+  }
+});
+
+test('diagnostics sanitizes secret-like model metadata before output', async () => {
+  const tempDir = await mkdtemp(join(tmpdir(), 'cursor-pool-cli-diagnostics-'));
+  const diagnosticsFile = join(tempDir, 'diagnostics.jsonl');
+
+  try {
+    await writeDiagnosticsFile(diagnosticsFile, [
+      JSON.stringify({
+        ...record('1'),
+        model: 'sk-secret-token',
+      }),
+      JSON.stringify({
+        ...requestCheckRecord('2'),
+        model: 'cursor-key',
+      }),
+      JSON.stringify({
+        ...gatewayRecord('3'),
+        model: 'provider-secret',
+      }),
+    ]);
+
+    const output = await diagnostics({ diagnosticsFile });
+    const parsed = JSON.parse(await diagnostics({ diagnosticsFile, json: true })) as Array<{
+      model: string;
+    }>;
+
+    assert.match(output, /^diagnostics: 3 entries\n/);
+    assert.match(output, /kind=agent-canary requestId=1 .*model=unknown/);
+    assert.match(output, /kind=agent-request-check requestId=2 .*model=unknown/);
+    assert.match(output, /kind=agent-request-gateway requestId=3 .*model=unknown/);
+    assert.doesNotMatch(output, /sk-secret-token|cursor-key|provider-secret|secret|token|key/);
+    assert.deepEqual(
+      parsed.map((entry) => entry.model),
+      ['unknown', 'unknown', 'unknown'],
+    );
+  } finally {
+    await rm(tempDir, { recursive: true, force: true });
+  }
+});
+
+test('diagnostics sanitizes malicious gate values before output', async () => {
+  const tempDir = await mkdtemp(join(tmpdir(), 'cursor-pool-cli-diagnostics-'));
+  const diagnosticsFile = join(tempDir, 'diagnostics.jsonl');
+
+  try {
+    await writeDiagnosticsFile(diagnosticsFile, [
+      JSON.stringify({
+        ...record('1'),
+        gate: {
+          state: 'allowed',
+          productId: 'prod_basic\nprompt=leak',
+          modeStartedAt: '2026-05-31T00:05:00.000Z',
+          prompt: 'do not print',
+          apiKey: 'secret',
+          extra: 'discard-me',
+        },
+      }),
+      JSON.stringify({
+        ...record('2'),
+        gate: {
+          state: 'blocked',
+          reason: 'logged-out\rapiKey=secret',
+          releaseReason: 'invalid-token',
+          releasedAt: '2026-05-31T00:10:00.000Z',
+          prompt: 'do not print',
+          apiKey: 'secret',
+          extra: 'discard-me',
+        },
+      }),
+      JSON.stringify({
+        ...record('3'),
+        gate: {
+          state: 'blocked',
+          reason: 'logged-out',
+          releaseReason: 'invalid-token',
+          releasedAt: '2026-05-31T00:10:00.000Z',
+          prompt: 'do not print',
+          apiKey: 'secret',
+          extra: 'discard-me',
+        },
+      }),
+      JSON.stringify({
+        ...record('4'),
+        gate: {
+          state: 'allowed',
+          productId: 'prod_basic apiKey=secret',
+          modeStartedAt: '2026-05-31T00:05:00.000Z',
+        },
+      }),
+      JSON.stringify({
+        ...record('5'),
+        gate: {
+          state: 'blocked',
+          reason: 'logged-out prompt=leak',
+        },
+      }),
+      JSON.stringify({
+        ...record('6'),
+        gate: {
+          state: 'blocked',
+          reason: 'logged-out',
+          releaseReason: 'invalid-token apiKey=secret',
+          releasedAt: '2026-05-31T00:10:00.000Z',
+        },
+      }),
+    ]);
+
+    const output = await diagnostics({ diagnosticsFile });
+    const parsed = JSON.parse(await diagnostics({ diagnosticsFile, json: true }));
+
+    assert.match(output, /^diagnostics: 6 entries\n/);
+    assert.match(output, /requestId=1 .*gate=unknown/);
+    assert.match(output, /requestId=2 .*gate=unknown/);
+    assert.match(
+      output,
+      /requestId=3 .*gate=blocked reason=logged-out releaseReason=invalid-token releasedAt=2026-05-31T00:10:00.000Z/,
+    );
+    assert.match(output, /requestId=4 .*gate=unknown/);
+    assert.match(output, /requestId=5 .*gate=unknown/);
+    assert.match(
+      output,
+      /requestId=6 .*gate=blocked reason=logged-out releasedAt=2026-05-31T00:10:00.000Z/,
+    );
+    assert.doesNotMatch(output, /prompt|apiKey|secret|extra|discard-me|leak/);
+    assert.deepEqual(parsed, [
+      { kind: 'agent-canary', ...record('1'), gate: { state: 'unknown' } },
+      { kind: 'agent-canary', ...record('2'), gate: { state: 'unknown' } },
+      {
+        kind: 'agent-canary',
+        ...record('3'),
+        gate: {
+          state: 'blocked',
+          reason: 'logged-out',
+          releaseReason: 'invalid-token',
+          releasedAt: '2026-05-31T00:10:00.000Z',
+        },
+      },
+      { kind: 'agent-canary', ...record('4'), gate: { state: 'unknown' } },
+      { kind: 'agent-canary', ...record('5'), gate: { state: 'unknown' } },
+      {
+        kind: 'agent-canary',
+        ...record('6'),
+        gate: {
+          state: 'blocked',
+          reason: 'logged-out',
+          releasedAt: '2026-05-31T00:10:00.000Z',
+        },
+      },
+    ]);
+    for (const entry of parsed as Array<{ gate: Record<string, unknown> }>) {
+      assert.equal(Object.hasOwn(entry.gate, 'prompt'), false);
+      assert.equal(Object.hasOwn(entry.gate, 'apiKey'), false);
+      assert.equal(Object.hasOwn(entry.gate, 'extra'), false);
+    }
+  } finally {
+    await rm(tempDir, { recursive: true, force: true });
+  }
+});
+
+test('diagnostics displays mixed canary and request-check entries', async () => {
+  const tempDir = await mkdtemp(join(tmpdir(), 'cursor-pool-cli-diagnostics-'));
+  const diagnosticsFile = join(tempDir, 'diagnostics.jsonl');
+
+  try {
+    await writeDiagnosticsFile(diagnosticsFile, [
+      JSON.stringify(record('1')),
+      JSON.stringify(requestCheckRecord('2')),
+    ]);
+
+    const output = await diagnostics({ diagnosticsFile });
+    const parsed = JSON.parse(await diagnostics({ diagnosticsFile, json: true }));
+
+    assert.match(output, /^diagnostics: 2 entries\n/);
+    assert.match(
+      output,
+      /kind=agent-canary requestId=1 source=cursor-agent-exec requestType=agent model=unknown runtimeId=runtime-1 gate=blocked reason=logged-out/,
+    );
+    assert.match(
+      output,
+      /kind=agent-request-check requestId=2 source=cursor-agent-exec requestType=agent model=unknown runtimeId=runtime-1 decision=blocked reason=logged-out route=missing/,
+    );
+    assert.deepEqual(parsed, [
+      { kind: 'agent-canary', ...record('1') },
+      requestCheckRecord('2'),
+    ]);
+  } finally {
+    await rm(tempDir, { recursive: true, force: true });
+  }
+});
+
+test('diagnostics displays request-gateway entries in human and JSON output', async () => {
+  const tempDir = await mkdtemp(join(tmpdir(), 'cursor-pool-cli-diagnostics-'));
+  const diagnosticsFile = join(tempDir, 'diagnostics.jsonl');
+
+  try {
+    await writeDiagnosticsFile(diagnosticsFile, [
+      JSON.stringify({
+        ...gatewayRecord('1'),
+        forward: {
+          state: 'rejected',
+          reason: 'rate-limited',
+          retryAfterMs: 1000,
+        },
+      }),
+    ]);
+
+    const humanOutput = await diagnostics({ diagnosticsFile });
+    const jsonOutput = await diagnostics({ diagnosticsFile, json: true });
+    const parsed = JSON.parse(jsonOutput);
+
+    assert.match(
+      humanOutput,
+      /kind=agent-request-gateway requestId=1 source=cursor-agent-exec requestType=agent model=gpt-test runtimeId=runtime-1 decision=accepted productId=prod_basic route=ready expiresAt=2999-05-31T00:10:00.000Z forward=rejected reason=rate-limited retryAfterMs=1000/,
+    );
+    assert.deepEqual(parsed, [{
+      ...gatewayRecord('1'),
+      forward: {
+        state: 'rejected',
+        reason: 'rate-limited',
+        retryAfterMs: 1000,
+      },
+    }]);
+  } finally {
+    await rm(tempDir, { recursive: true, force: true });
+  }
+});
+
+test('diagnostics sanitizes malicious request-gateway entries before output', async () => {
+  const tempDir = await mkdtemp(join(tmpdir(), 'cursor-pool-cli-diagnostics-'));
+  const diagnosticsFile = join(tempDir, 'diagnostics.jsonl');
+
+  try {
+    await writeDiagnosticsFile(diagnosticsFile, [
+      JSON.stringify({
+        ...gatewayRecord('1'),
+        model: 'sk-secret-token',
+        prompt: 'do not print',
+        apiKey: 'secret',
+        routeToken: 'rt_secret_value',
+        forward: {
+          state: 'forwarded',
+          upstreamRequestId: 'gw_req_1 token=rt_secret_value',
+          acceptedAt: 'not-a-date',
+        },
+        decision: {
+          state: 'accepted',
+          productId: 'prod_basic apiKey=secret',
+          modeStartedAt: '2026-05-31T00:05:00.000Z',
+          route: {
+            state: 'ready',
+            expiresAt: 'not a date token=rt_secret',
+            routeToken: 'rt_secret_value',
+          },
+        },
+      }),
+    ]);
+
+    const output = await diagnostics({ diagnosticsFile });
+    const parsed = JSON.parse(await diagnostics({ diagnosticsFile, json: true }));
+
+    assert.match(output, /kind=agent-request-gateway requestId=1 .*model=unknown .*decision=unknown/);
+    assert.doesNotMatch(output, /prompt|apiKey|secret|sk-secret-token|routeToken|rt_secret/);
+    assert.deepEqual(parsed, [
+      {
+        ...gatewayRecord('1'),
+        model: 'unknown',
+        decision: { state: 'unknown' },
+        forward: { state: 'unknown' },
+      },
+    ]);
+  } finally {
+    await rm(tempDir, { recursive: true, force: true });
+  }
+});
+
+test('diagnostics formats request-gateway non-accepted decisions', async () => {
+  const tempDir = await mkdtemp(join(tmpdir(), 'cursor-pool-cli-diagnostics-'));
+  const diagnosticsFile = join(tempDir, 'diagnostics.jsonl');
+
+  try {
+    await writeDiagnosticsFile(diagnosticsFile, [
+      JSON.stringify({
+        ...gatewayRecord('1'),
+        decision: {
+          state: 'route-missing',
+          productId: 'prod_basic',
+          modeStartedAt: '2026-05-31T00:05:00.000Z',
+          route: { state: 'missing' },
+        },
+      }),
+      JSON.stringify({
+        ...gatewayRecord('2'),
+        decision: {
+          state: 'route-expired',
+          productId: 'prod_basic',
+          modeStartedAt: '2026-05-31T00:05:00.000Z',
+          route: { state: 'expired', expiresAt: '2026-05-31T00:10:00.000Z' },
+        },
+      }),
+      JSON.stringify({
+        ...gatewayRecord('3'),
+        decision: {
+          state: 'blocked',
+          reason: 'mode-released',
+          releaseReason: 'invalid-token',
+          releasedAt: '2026-05-31T00:10:00.000Z',
+          route: { state: 'missing' },
+        },
+      }),
+      JSON.stringify({
+        ...gatewayRecord('4'),
+        decision: { state: 'unknown' },
+      }),
+    ]);
+
+    const output = await diagnostics({ diagnosticsFile });
+
+    assert.match(output, /requestId=1 .*decision=route-missing productId=prod_basic route=missing/);
+    assert.match(
+      output,
+      /requestId=2 .*decision=route-expired productId=prod_basic route=expired expiresAt=2026-05-31T00:10:00.000Z/,
+    );
+    assert.match(
+      output,
+      /requestId=3 .*decision=blocked reason=mode-released releaseReason=invalid-token releasedAt=2026-05-31T00:10:00.000Z route=missing/,
+    );
+    assert.match(output, /requestId=4 .*decision=unknown/);
+  } finally {
+    await rm(tempDir, { recursive: true, force: true });
+  }
+});
+
+test('diagnostics sanitizes malicious request-check entries before output', async () => {
+  const tempDir = await mkdtemp(join(tmpdir(), 'cursor-pool-cli-diagnostics-'));
+  const diagnosticsFile = join(tempDir, 'diagnostics.jsonl');
+
+  try {
+    await writeDiagnosticsFile(diagnosticsFile, [
+      JSON.stringify({
+        ...requestCheckRecord('1'),
+        model: 'sk-secret-token',
+        prompt: 'do not print',
+        apiKey: 'secret',
+        decision: {
+          state: 'allowed',
+          productId: 'prod_basic apiKey=secret',
+          modeStartedAt: '2026-05-31T00:05:00.000Z',
+          prompt: 'do not print',
+        },
+        route: {
+          state: 'ready',
+          expiresAt: 'not a date token=rt_secret',
+          routeToken: 'rt_secret_value',
+        },
+      }),
+      JSON.stringify({
+        ...requestCheckRecord('2'),
+        decision: {
+          state: 'blocked',
+          reason: 'logged-out',
+          releaseReason: 'invalid-token',
+          releasedAt: '2026-05-31T00:10:00.000Z',
+          apiKey: 'secret',
+        },
+      }),
+    ]);
+
+    const output = await diagnostics({ diagnosticsFile });
+    const parsed = JSON.parse(await diagnostics({ diagnosticsFile, json: true }));
+
+    assert.match(output, /^diagnostics: 2 entries\n/);
+    assert.match(output, /kind=agent-request-check requestId=1 .*model=unknown .*decision=unknown route=unknown/);
+    assert.match(
+      output,
+      /kind=agent-request-check requestId=2 .*decision=blocked reason=logged-out releaseReason=invalid-token releasedAt=2026-05-31T00:10:00.000Z route=missing/,
+    );
+    assert.doesNotMatch(output, /prompt|apiKey|secret|sk-secret-token|do not print|routeToken|rt_secret/);
+    assert.deepEqual(parsed, [
+      {
+        ...requestCheckRecord('1'),
+        model: 'unknown',
+        decision: { state: 'unknown' },
+        route: { state: 'unknown' },
+      },
+      {
+        ...requestCheckRecord('2'),
+        decision: {
+          state: 'blocked',
+          reason: 'logged-out',
+          releaseReason: 'invalid-token',
+          releasedAt: '2026-05-31T00:10:00.000Z',
+        },
+      },
+    ]);
+  } finally {
+    await rm(tempDir, { recursive: true, force: true });
+  }
+});
+
+test('diagnostics displays safe request-check route state without token', async () => {
+  const tempDir = await mkdtemp(join(tmpdir(), 'cursor-pool-cli-diagnostics-'));
+  const diagnosticsFile = join(tempDir, 'diagnostics.jsonl');
+  const route = {
+    state: 'ready' as const,
+    expiresAt: '2999-05-31T00:10:00.000Z',
+  };
+
+  try {
+    await writeDiagnosticsFile(diagnosticsFile, [
+      JSON.stringify({
+        ...requestCheckRecord('1'),
+        route: {
+          ...route,
+          routeToken: 'rt_secret_value',
+          token: 'secret',
+        },
+      }),
+    ]);
+
+    const output = await diagnostics({ diagnosticsFile });
+    const parsed = JSON.parse(await diagnostics({ diagnosticsFile, json: true }));
+
+    assert.match(output, /decision=blocked reason=logged-out route=ready expiresAt=2999-05-31T00:10:00.000Z/);
+    assert.doesNotMatch(output, /routeToken|rt_secret_value|token|secret/);
+    assert.deepEqual(parsed, [
+      {
+        ...requestCheckRecord('1'),
+        route,
+      },
+    ]);
+  } finally {
+    await rm(tempDir, { recursive: true, force: true });
+  }
+});
+
+test('diagnostics rejects non-positive limits', async () => {
+  await assert.rejects(
+    diagnostics({ diagnosticsFile: '/tmp/unused.jsonl', limit: 0 }),
+    /--limit must be a positive integer/,
+  );
+});
+
+test('clearDiagnostics clears only the diagnostics file', async () => {
+  const tempDir = await mkdtemp(join(tmpdir(), 'cursor-pool-cli-diagnostics-'));
+  const diagnosticsFile = join(tempDir, 'diagnostics.jsonl');
+  const runtimeFile = join(tempDir, 'runtime.json');
+
+  try {
+    await writeDiagnosticsFile(diagnosticsFile, [JSON.stringify(record('1'))]);
+    await writeFile(runtimeFile, '{"runtimeId":"runtime-1"}\n', 'utf8');
+
+    assert.equal(await clearDiagnostics({ diagnosticsFile }), 'diagnostics: cleared');
+    assert.equal(await readFile(diagnosticsFile, 'utf8'), '');
+    assert.equal(await readFile(runtimeFile, 'utf8'), '{"runtimeId":"runtime-1"}\n');
+  } finally {
+    await rm(tempDir, { recursive: true, force: true });
+  }
+});
+
+test('clearDiagnostics does not fail when the diagnostics file is missing', async () => {
+  const tempDir = await mkdtemp(join(tmpdir(), 'cursor-pool-cli-diagnostics-'));
+  const diagnosticsFile = join(tempDir, 'missing.jsonl');
+
+  try {
+    assert.equal(await clearDiagnostics({ diagnosticsFile }), 'diagnostics: missing');
+  } finally {
+    await rm(tempDir, { recursive: true, force: true });
+  }
+});