npm - @velum-labs/cursorkit - Versions diffs - 0.1.1 → 0.1.2 - Mend

@velum-labs/cursorkit 0.1.1 → 0.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/dist/src/ckLauncher.d.ts +2 -5
package/dist/src/ckLauncher.js +25 -206
package/dist/src/cursorDesktopState.d.ts +10 -0
package/dist/src/cursorDesktopState.js +204 -0
package/dist/src/desktopConnectProxy.d.ts +10 -0
package/dist/src/desktopConnectProxy.js +7 -1
package/dist/src/server.js +35 -2
package/package.json +3 -1

package/dist/src/ckLauncher.d.ts CHANGED Viewed

@@ -1,7 +1,8 @@
 import { type ChildProcess } from "node:child_process";
 import fs from "node:fs";
 import { Command } from "commander";
-import { type LocalModelConfig } from "./config.js";
+import { buildLocalDesktopModelEntry, mergeLocalAgentBackendUrlsIntoApplicationUser, mergeLocalDesktopModelsIntoApplicationUser } from "./cursorDesktopState.js";
+export { buildLocalDesktopModelEntry, mergeLocalAgentBackendUrlsIntoApplicationUser, mergeLocalDesktopModelsIntoApplicationUser, };
 import { type DesktopConnectProxy } from "./desktopConnectProxy.js";
 export type CkCommand = "launch" | "test" | "doctor" | "cert" | "route" | "stop";
 export type CkProfileMode = "isolated" | "default";
@@ -155,9 +156,5 @@ export declare function registerCk(program: Command): void;
 export declare function chooseBridgePort(): Promise<number>;
 export declare function seedCursorAuthFromDefault(plan: Pick<CkLaunchPlan, "profileMode" | "userDataDir" | "seedAuthFromDefault">): CursorAuthSeedStatus;
 export declare function seedLocalModelsIntoCursorState(plan: Pick<CkLaunchPlan, "agentHttpPort" | "bridge" | "profileMode" | "userDataDir">): CursorLocalModelSeedStatus;
-export declare function mergeLocalAgentBackendUrlsIntoApplicationUser(applicationUser: Record<string, unknown>, agentOrigin: string): void;
-export declare function mergeLocalDesktopModelsIntoApplicationUser(applicationUser: Record<string, unknown>, models: LocalModelConfig[]): void;
-export declare function buildLocalDesktopModelEntry(model: LocalModelConfig): Record<string, unknown>;
 export declare function cleanupIsolatedCursorProcesses(userDataDir: string): number[];
 export declare function bridgeProcessMatchesState(command: string, state?: Pick<CkState, "bridgeCommand">): boolean;
-export {};

package/dist/src/ckLauncher.js CHANGED Viewed

@@ -6,6 +6,10 @@ import path from "node:path";
 import { fileURLToPath } from "node:url";
 import { Command, InvalidArgumentError } from "commander";
 import { loadConfig } from "./config.js";
+import { buildLocalDesktopModelEntry, mergeLocalAgentBackendUrlsIntoApplicationUser, mergeLocalDesktopModelsIntoApplicationUser, } from "./cursorDesktopState.js";
+// Re-exported for backwards compatibility (callers/tests import these from
+// ckLauncher); the implementations now live in cursorDesktopState.
+export { buildLocalDesktopModelEntry, mergeLocalAgentBackendUrlsIntoApplicationUser, mergeLocalDesktopModelsIntoApplicationUser, };
 import { startDesktopConnectProxy, } from "./desktopConnectProxy.js";
 import { DESKTOP_CERT_PATH, DESKTOP_HOSTNAME, DESKTOP_HOSTNAMES, DESKTOP_KEY_PATH, desktopCertificateStatus, desktopDnsStatus, desktopEnv, desktopTrustCommand, localModelBackendStatus, upstreamReachabilityStatus, writeDesktopCertificate, } from "./desktop.js";
 import { AGENT_RUN_PATH, AGENT_RUN_SSE_PATH, AVAILABLE_MODELS_PATH, BIDI_APPEND_PATH, GET_DEFAULT_MODEL_FOR_CLI_PATH, GET_USABLE_MODELS_PATH, STREAM_CHAT_WITH_TOOLS_PATH, } from "./routes.js";
@@ -767,101 +771,24 @@ export function seedLocalModelsIntoCursorState(plan) {
     if (typeof agentPublicOrigin === "string") {
         mergeLocalAgentBackendUrlsIntoApplicationUser(applicationUser, agentPublicOrigin);
     }
+    // The seed file mirrors the user's Cursor credentials (cursorCreds), so it is
+    // written with owner-only permissions and removed once sqlite3 has imported
+    // it rather than being left on disk.
     const seedPath = path.join(globalStorageDir, "applicationUser.seed.json");
-    fs.writeFileSync(seedPath, JSON.stringify(applicationUser));
-    const escapedSeedPath = seedPath.replaceAll("'", "''");
-    const seed = spawnSync("sqlite3", [
-        targetDb,
-        `insert or replace into ItemTable(key, value) values('${key}', cast(readfile('${escapedSeedPath}') as text));`,
-    ], { encoding: "utf8" });
-    if (seed.status !== 0) {
-        return "sqlite-unavailable";
-    }
-    return "seeded";
-}
-export function mergeLocalAgentBackendUrlsIntoApplicationUser(applicationUser, agentOrigin) {
-    const cursorCreds = ensureRecord(applicationUser, "cursorCreds");
-    const urls = { default: agentOrigin };
-    cursorCreds.agentBackendUrlPrivacy = urls;
-    cursorCreds.agentBackendUrlNonPrivacy = urls;
-}
-export function mergeLocalDesktopModelsIntoApplicationUser(applicationUser, models) {
-    const localModelIds = new Set(models.map((model) => model.id));
-    const current = Array.isArray(applicationUser.availableDefaultModels2)
-        ? applicationUser.availableDefaultModels2.filter((item) => {
-            if (!isPlainRecord(item) || typeof item.name !== "string") {
-                return true;
-            }
-            return !localModelIds.has(item.name);
-        })
-        : [];
-    applicationUser.availableDefaultModels2 = current;
-    const aiSettings = ensureRecord(applicationUser, "aiSettings");
-    for (const model of models) {
-        appendUnique(ensureStringArray(aiSettings, "userAddedModels"), model.id);
-        appendUnique(ensureStringArray(aiSettings, "modelOverrideEnabled"), model.id);
-        removeValue(ensureStringArray(aiSettings, "modelOverrideDisabled"), model.id);
-    }
-    const preferences = ensureRecord(aiSettings, "modelParameterPreferences");
-    const updatedAt = new Date().toISOString();
-    for (const model of models) {
-        preferences[model.id] = {
-            modelId: model.id,
-            parameters: localDesktopParameterValues(true),
-            updatedAt,
-        };
-    }
-    const firstModel = models[0];
-    if (firstModel !== undefined) {
-        applicationUser.useOpenAIKey = true;
-        applicationUser.openAIBaseUrl = firstModel.baseUrl;
-        applicationUser.openAIKey = firstModel.apiKey;
-        const modelConfig = ensureRecord(aiSettings, "modelConfig");
-        const selectedModel = {
-            modelId: firstModel.id,
-            parameters: localDesktopParameterValues(true),
-        };
-        for (const key of ["composer", "background-composer"]) {
-            modelConfig[key] = {
-                modelName: firstModel.id,
-                maxMode: true,
-                selectedModels: [selectedModel],
-            };
-        }
-    }
-    const featureModelConfigs = ensureRecord(applicationUser, "featureModelConfigs");
-    for (const value of Object.values(featureModelConfigs)) {
-        if (!isPlainRecord(value)) {
-            continue;
-        }
-        const fallbackModels = ensureStringArray(value, "fallbackModels");
-        for (const model of models) {
-            appendUnique(fallbackModels, model.id);
+    fs.writeFileSync(seedPath, JSON.stringify(applicationUser), { mode: 0o600 });
+    try {
+        const escapedSeedPath = seedPath.replaceAll("'", "''");
+        const seed = spawnSync("sqlite3", [
+            targetDb,
+            `insert or replace into ItemTable(key, value) values('${key}', cast(readfile('${escapedSeedPath}') as text));`,
+        ], { encoding: "utf8" });
+        if (seed.status !== 0) {
+            return "sqlite-unavailable";
         }
+        return "seeded";
     }
-}
-function ensureRecord(target, key) {
-    if (!isPlainRecord(target[key])) {
-        target[key] = {};
-    }
-    return target[key];
-}
-function ensureStringArray(target, key) {
-    const values = Array.isArray(target[key])
-        ? target[key].filter((value) => typeof value === "string")
-        : [];
-    target[key] = values;
-    return values;
-}
-function appendUnique(values, value) {
-    if (!values.includes(value)) {
-        values.push(value);
-    }
-}
-function removeValue(values, value) {
-    const index = values.indexOf(value);
-    if (index !== -1) {
-        values.splice(index, 1);
+    finally {
+        fs.rmSync(seedPath, { force: true });
     }
 }
 function defaultCursorStateDbPath() {
@@ -881,119 +808,6 @@ function readCursorStateValue(dbPath, key) {
     }
     return result.stdout;
 }
-export function buildLocalDesktopModelEntry(model) {
-    const tooltipData = {
-        primaryText: "",
-        secondaryText: "",
-        secondaryWarningText: false,
-        icon: "",
-        tertiaryText: "",
-        tertiaryTextUrl: "",
-        markdownContent: `**${model.displayName}**<br />Local OpenAI-compatible model served by cursorkit.<br /><br />${model.contextTokenLimit.toLocaleString()} token context window`,
-    };
-    return {
-        name: model.id,
-        serverModelName: model.id,
-        clientDisplayName: model.displayName,
-        inputboxShortModelName: model.displayName,
-        vendorName: "local",
-        vendor: { displayName: "Local" },
-        supportsAgent: true,
-        supportsCmdK: false,
-        supportsImages: false,
-        supportsMaxMode: true,
-        supportsNonMaxMode: true,
-        supportsPlanMode: true,
-        supportsSandboxing: false,
-        supportsThinking: false,
-        cloudAgentEffortModes: [],
-        defaultOn: true,
-        degradationStatus: 0,
-        isRecommendedForBackgroundComposer: false,
-        legacySlugs: [model.id],
-        idAliases: [model.id, model.displayName],
-        parameterDefinitions: localDesktopParameterDefinitions(),
-        namedModelSectionIndex: 10_000,
-        visibleInRoutedModelView: true,
-        tooltipData,
-        tooltipDataForMaxMode: tooltipData,
-        variants: [
-            localDesktopVariantConfig(model, tooltipData, false),
-            localDesktopVariantConfig(model, tooltipData, true),
-        ],
-    };
-}
-function localDesktopVariantConfig(model, tooltipData, isMaxMode) {
-    return {
-        parameterValues: localDesktopParameterValues(isMaxMode),
-        displayName: model.displayName,
-        isMaxMode,
-        isDefaultMaxConfig: isMaxMode,
-        isDefaultNonMaxConfig: !isMaxMode,
-        tooltipData,
-        displayNameOutsidePicker: model.displayName,
-        variantStringRepresentation: localDesktopVariantString(model.id, isMaxMode),
-        legacySlug: model.id,
-    };
-}
-function localDesktopVariantString(modelId, isMaxMode) {
-    const context = isMaxMode ? "1m" : "272k";
-    return `${modelId}[context=${context},reasoning=medium,fast=false]`;
-}
-function localDesktopParameterValues(isMaxMode) {
-    return [
-        { id: "context", value: isMaxMode ? "1m" : "272k" },
-        { id: "reasoning", value: "medium" },
-        { id: "fast", value: "false" },
-    ];
-}
-function localDesktopParameterDefinitions() {
-    return [
-        {
-            id: "context",
-            name: "Context",
-            markdownTooltip: "Context size the model has available.",
-            parameterType: {
-                enumParameter: {
-                    values: [
-                        { value: "272k", displayName: "272K" },
-                        { value: "1m", displayName: "1M" },
-                    ],
-                },
-            },
-        },
-        {
-            id: "reasoning",
-            name: "Reasoning",
-            markdownTooltip: "Reasoning effort the model uses to generate its response.",
-            parameterType: {
-                enumParameter: {
-                    values: [
-                        { value: "none", displayName: "None" },
-                        { value: "low", displayName: "Low" },
-                        { value: "medium", displayName: "Medium" },
-                        { value: "high", displayName: "High" },
-                        { value: "extra-high", displayName: "Extra High" },
-                    ],
-                },
-            },
-            isCycleableByHotkey: true,
-        },
-        {
-            id: "fast",
-            name: "Fast",
-            markdownTooltip: "Use the provider's fast lane when supported.",
-            parameterType: {
-                booleanParameter: {
-                    values: [{ value: "false" }, { value: "true", displayName: "Fast" }],
-                },
-            },
-        },
-    ];
-}
-function isPlainRecord(value) {
-    return typeof value === "object" && value !== null && !Array.isArray(value);
-}
 export function cleanupIsolatedCursorProcesses(userDataDir) {
     const killed = terminateIsolatedCursorProcesses(userDataDir, "SIGTERM");
     spawnSync("sleep", ["1"]);
@@ -1196,9 +1010,14 @@ function configureCursorNodeTlsEnv(plan) {
     if (plan.profileMode !== "isolated") {
         return;
     }
+    // Trust only the bridge's self-signed certificate via NODE_EXTRA_CA_CERTS
+    // instead of globally disabling TLS verification. This keeps certificate
+    // validation intact for real upstream traffic (e.g. api2.cursor.sh) while
+    // allowing the spawned Cursor process to connect to the local bridge.
+    const bridgeCertPath = plan.bridge.env?.BRIDGE_CERT_PATH ?? DESKTOP_CERT_PATH;
     plan.cursor.env = {
         ...plan.cursor.env,
-        NODE_TLS_REJECT_UNAUTHORIZED: "0",
+        NODE_EXTRA_CA_CERTS: bridgeCertPath,
     };
 }
 function printPlan(plan) {

package/dist/src/cursorDesktopState.d.ts ADDED Viewed

@@ -0,0 +1,10 @@
+import type { LocalModelConfig } from "./config.js";
+/**
+ * Builders that shape the Cursor desktop `applicationUser` state and local
+ * model catalog entries. Extracted from `ckLauncher` so the (large) launcher
+ * module is not also responsible for the desktop state-seed schema. These are
+ * pure data transforms over plain JSON-shaped records.
+ */
+export declare function mergeLocalAgentBackendUrlsIntoApplicationUser(applicationUser: Record<string, unknown>, agentOrigin: string): void;
+export declare function mergeLocalDesktopModelsIntoApplicationUser(applicationUser: Record<string, unknown>, models: LocalModelConfig[]): void;
+export declare function buildLocalDesktopModelEntry(model: LocalModelConfig): Record<string, unknown>;

package/dist/src/cursorDesktopState.js ADDED Viewed

@@ -0,0 +1,204 @@
+/**
+ * Builders that shape the Cursor desktop `applicationUser` state and local
+ * model catalog entries. Extracted from `ckLauncher` so the (large) launcher
+ * module is not also responsible for the desktop state-seed schema. These are
+ * pure data transforms over plain JSON-shaped records.
+ */
+export function mergeLocalAgentBackendUrlsIntoApplicationUser(applicationUser, agentOrigin) {
+    const cursorCreds = ensureRecord(applicationUser, "cursorCreds");
+    const urls = { default: agentOrigin };
+    cursorCreds.agentBackendUrlPrivacy = urls;
+    cursorCreds.agentBackendUrlNonPrivacy = urls;
+}
+export function mergeLocalDesktopModelsIntoApplicationUser(applicationUser, models) {
+    const localModelIds = new Set(models.map((model) => model.id));
+    const current = Array.isArray(applicationUser.availableDefaultModels2)
+        ? applicationUser.availableDefaultModels2.filter((item) => {
+            if (!isPlainRecord(item) || typeof item.name !== "string") {
+                return true;
+            }
+            return !localModelIds.has(item.name);
+        })
+        : [];
+    applicationUser.availableDefaultModels2 = current;
+    const aiSettings = ensureRecord(applicationUser, "aiSettings");
+    for (const model of models) {
+        appendUnique(ensureStringArray(aiSettings, "userAddedModels"), model.id);
+        appendUnique(ensureStringArray(aiSettings, "modelOverrideEnabled"), model.id);
+        removeValue(ensureStringArray(aiSettings, "modelOverrideDisabled"), model.id);
+    }
+    const preferences = ensureRecord(aiSettings, "modelParameterPreferences");
+    const updatedAt = new Date().toISOString();
+    for (const model of models) {
+        preferences[model.id] = {
+            modelId: model.id,
+            parameters: localDesktopParameterValues(true),
+            updatedAt,
+        };
+    }
+    const firstModel = models[0];
+    if (firstModel !== undefined) {
+        applicationUser.useOpenAIKey = true;
+        applicationUser.openAIBaseUrl = firstModel.baseUrl;
+        applicationUser.openAIKey = firstModel.apiKey;
+        const modelConfig = ensureRecord(aiSettings, "modelConfig");
+        const selectedModel = {
+            modelId: firstModel.id,
+            parameters: localDesktopParameterValues(true),
+        };
+        for (const key of ["composer", "background-composer"]) {
+            modelConfig[key] = {
+                modelName: firstModel.id,
+                maxMode: true,
+                selectedModels: [selectedModel],
+            };
+        }
+    }
+    const featureModelConfigs = ensureRecord(applicationUser, "featureModelConfigs");
+    for (const value of Object.values(featureModelConfigs)) {
+        if (!isPlainRecord(value)) {
+            continue;
+        }
+        const fallbackModels = ensureStringArray(value, "fallbackModels");
+        for (const model of models) {
+            appendUnique(fallbackModels, model.id);
+        }
+    }
+}
+export function buildLocalDesktopModelEntry(model) {
+    const tooltipData = {
+        primaryText: "",
+        secondaryText: "",
+        secondaryWarningText: false,
+        icon: "",
+        tertiaryText: "",
+        tertiaryTextUrl: "",
+        markdownContent: `**${model.displayName}**<br />Local OpenAI-compatible model served by cursorkit.<br /><br />${model.contextTokenLimit.toLocaleString()} token context window`,
+    };
+    return {
+        name: model.id,
+        serverModelName: model.id,
+        clientDisplayName: model.displayName,
+        inputboxShortModelName: model.displayName,
+        vendorName: "local",
+        vendor: { displayName: "Local" },
+        supportsAgent: true,
+        supportsCmdK: false,
+        supportsImages: false,
+        supportsMaxMode: true,
+        supportsNonMaxMode: true,
+        supportsPlanMode: true,
+        supportsSandboxing: false,
+        supportsThinking: false,
+        cloudAgentEffortModes: [],
+        defaultOn: true,
+        degradationStatus: 0,
+        isRecommendedForBackgroundComposer: false,
+        legacySlugs: [model.id],
+        idAliases: [model.id, model.displayName],
+        parameterDefinitions: localDesktopParameterDefinitions(),
+        namedModelSectionIndex: 10_000,
+        visibleInRoutedModelView: true,
+        tooltipData,
+        tooltipDataForMaxMode: tooltipData,
+        variants: [
+            localDesktopVariantConfig(model, tooltipData, false),
+            localDesktopVariantConfig(model, tooltipData, true),
+        ],
+    };
+}
+function localDesktopVariantConfig(model, tooltipData, isMaxMode) {
+    return {
+        parameterValues: localDesktopParameterValues(isMaxMode),
+        displayName: model.displayName,
+        isMaxMode,
+        isDefaultMaxConfig: isMaxMode,
+        isDefaultNonMaxConfig: !isMaxMode,
+        tooltipData,
+        displayNameOutsidePicker: model.displayName,
+        variantStringRepresentation: localDesktopVariantString(model.id, isMaxMode),
+        legacySlug: model.id,
+    };
+}
+function localDesktopVariantString(modelId, isMaxMode) {
+    const context = isMaxMode ? "1m" : "272k";
+    return `${modelId}[context=${context},reasoning=medium,fast=false]`;
+}
+function localDesktopParameterValues(isMaxMode) {
+    return [
+        { id: "context", value: isMaxMode ? "1m" : "272k" },
+        { id: "reasoning", value: "medium" },
+        { id: "fast", value: "false" },
+    ];
+}
+function localDesktopParameterDefinitions() {
+    return [
+        {
+            id: "context",
+            name: "Context",
+            markdownTooltip: "Context size the model has available.",
+            parameterType: {
+                enumParameter: {
+                    values: [
+                        { value: "272k", displayName: "272K" },
+                        { value: "1m", displayName: "1M" },
+                    ],
+                },
+            },
+        },
+        {
+            id: "reasoning",
+            name: "Reasoning",
+            markdownTooltip: "Reasoning effort the model uses to generate its response.",
+            parameterType: {
+                enumParameter: {
+                    values: [
+                        { value: "none", displayName: "None" },
+                        { value: "low", displayName: "Low" },
+                        { value: "medium", displayName: "Medium" },
+                        { value: "high", displayName: "High" },
+                        { value: "extra-high", displayName: "Extra High" },
+                    ],
+                },
+            },
+            isCycleableByHotkey: true,
+        },
+        {
+            id: "fast",
+            name: "Fast",
+            markdownTooltip: "Use the provider's fast lane when supported.",
+            parameterType: {
+                booleanParameter: {
+                    values: [{ value: "false" }, { value: "true", displayName: "Fast" }],
+                },
+            },
+        },
+    ];
+}
+function ensureRecord(target, key) {
+    if (!isPlainRecord(target[key])) {
+        target[key] = {};
+    }
+    return target[key];
+}
+function ensureStringArray(target, key) {
+    const values = Array.isArray(target[key])
+        ? target[key].filter((value) => typeof value === "string")
+        : [];
+    target[key] = values;
+    return values;
+}
+function appendUnique(values, value) {
+    if (!values.includes(value)) {
+        values.push(value);
+    }
+}
+function removeValue(values, value) {
+    const index = values.indexOf(value);
+    if (index !== -1) {
+        values.splice(index, 1);
+    }
+}
+function isPlainRecord(value) {
+    return typeof value === "object" && value !== null && !Array.isArray(value);
+}

package/dist/src/desktopConnectProxy.d.ts CHANGED Viewed

@@ -5,9 +5,19 @@ export interface DesktopConnectProxyOptions {
     bridgeHost: string;
     bridgePort: number;
     logPath?: string;
+    /**
+     * When true, CONNECT requests to non-Cursor hosts are tunneled through to
+     * their destination, turning this into an open forwarder. Defaults to false
+     * so only Cursor backends (cursorHostnames) are reachable.
+     */
     passthrough?: boolean;
     cursorHostnames?: readonly string[];
     headerTimeoutMs?: number;
+    /**
+     * Allow binding to a non-loopback host. Off by default to avoid exposing the
+     * proxy beyond the local machine.
+     */
+    allowExternalHost?: boolean;
 }
 export interface DesktopConnectProxy {
     server: net.Server;

package/dist/src/desktopConnectProxy.js CHANGED Viewed

@@ -5,8 +5,11 @@ const CONNECT_LINE_PATTERN = /^CONNECT\s+([^\s]+)\s+HTTP\/\d(?:\.\d)?$/i;
 const DEFAULT_HEADER_TIMEOUT_MS = 5_000;
 const MAX_CONNECT_HEADER_BYTES = 32 * 1024;
 export async function startDesktopConnectProxy(options) {
+    if (options.allowExternalHost !== true && !isLoopbackHost(options.host)) {
+        throw new Error(`Refusing to bind CONNECT proxy to non-loopback host ${options.host}. Set allowExternalHost: true to override.`);
+    }
     const cursorHostnames = new Set(options.cursorHostnames ?? DESKTOP_HOSTNAMES);
-    const passthrough = options.passthrough ?? true;
+    const passthrough = options.passthrough ?? false;
     const activeSockets = new Set();
     const server = net.createServer((client) => {
         activeSockets.add(client);
@@ -155,6 +158,9 @@ function handleClient(client, options, cursorHostnames, passthrough, activeSocke
         });
     });
 }
+function isLoopbackHost(host) {
+    return host === "127.0.0.1" || host === "::1" || host === "localhost";
+}
 function parseConnectDestination(value) {
     if (value.startsWith("[")) {
         const closeBracket = value.indexOf("]");

package/dist/src/server.js CHANGED Viewed

@@ -1,3 +1,4 @@
+import { timingSafeEqual } from "node:crypto";
 import http from "node:http";
 import http2 from "node:http2";
 import https from "node:https";
@@ -101,7 +102,9 @@ export async function createBridgeRuntime(config, logger) {
 }
 export async function startServer(runtime) {
     const listener = (request, response) => {
-        void handleRequest(runtime, request, response);
+        handleRequest(runtime, request, response).catch((error) => {
+            handleRequestFailure(runtime, response, error);
+        });
     };
     const server = runtime.config.useTls
         ? runtime.config.desktopMode
@@ -252,6 +255,35 @@ async function handleRequest(runtime, request, response) {
     }
     proxyRequest(request, response, runtime.config, runtime.logger);
 }
+function handleRequestFailure(runtime, response, error) {
+    runtime.logger.error("request handler crashed", {
+        error: error instanceof Error ? error.message : String(error),
+    });
+    try {
+        if (response.headersSent) {
+            response.destroy();
+            return;
+        }
+        response.writeHead(500, { "content-type": "application/json" });
+        response.end(JSON.stringify({ error: "internal bridge error" }));
+    }
+    catch {
+        response.destroy();
+    }
+}
+/**
+ * Length-independent constant-time comparison so bridge-token checks do not leak
+ * the secret via early-mismatch timing. A missing header never matches.
+ */
+function constantTimeEquals(value, expected) {
+    if (value === undefined)
+        return false;
+    const valueBuf = Buffer.from(value);
+    const expectedBuf = Buffer.from(expected);
+    if (valueBuf.length !== expectedBuf.length)
+        return false;
+    return timingSafeEqual(valueBuf, expectedBuf);
+}
 function authorizeRequest(runtime, request, response) {
     const token = runtime.config.authToken;
     if (token === undefined) {
@@ -259,7 +291,8 @@ function authorizeRequest(runtime, request, response) {
     }
     const authorization = headerValue(request.headers.authorization);
     const bridgeToken = headerValue(request.headers["x-cursor-rpc-auth"]);
-    const authorized = authorization === `Bearer ${token}` || bridgeToken === token;
+    const authorized = constantTimeEquals(authorization, `Bearer ${token}`) ||
+        constantTimeEquals(bridgeToken, token);
     if (authorized) {
         return true;
     }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@velum-labs/cursorkit",
-  "version": "0.1.1",
+  "version": "0.1.2",
   "private": false,
   "type": "module",
   "description": "Unofficial research bridge for experimenting with Cursor's ConnectRPC protocol against a self-hosted OpenAI-compatible model.",
@@ -62,6 +62,7 @@
     "@bufbuild/protoc-gen-es": "^2.12.0",
     "@types/node": "24.10.1",
     "@velum-labs/model-fusion-protocol": "0.1.1",
+    "@vitest/coverage-v8": "4.1.8",
     "prettier": "3.8.4",
     "tsx": "4.22.4",
     "typescript": "6.0.3",
@@ -78,6 +79,7 @@
     "baseline:generate": "tsx src/tools/baselineInventory.ts",
     "baseline:check": "tsx src/tools/baselineInventory.ts --check",
     "test": "vitest run tests",
+    "test:coverage": "vitest run --coverage",
     "e2e:cursor-agent": "python3 tests/e2e/cursor-agent-smoke.py",
     "model-fusion:protocol:check": "tsx src/tools/checkModelFusionProtocol.ts",
     "release:publish:check": "tsx src/tools/checkReleasePublishConfig.ts",