[codex] fix cursor vpn auth diagnostics

[ya-nsh]

Summary

• Add Cursor-specific proxy, CA, timeout, and NO_PROXY handling for usage API requests.
• Add tokenleak cursor doctor for token-free and optional saved-token diagnostics with redacted output.
• Document protected VPN/proxy/TLS inspection troubleshooting and add regression coverage.

Why

On company protected VPNs, Cursor token validation can fail before auth reaches Cursor because HTTPS is routed through managed proxy or TLS inspection. Tokenleak now separates network failures from invalid-token failures and gives actionable env-var fixes.

Test Plan

• bun test packages/registry/src/cursor-auth.test.ts
• bun test packages/cli/src/cursor.test.ts
• PATH="/Users/yansh/.bun/bin:$PATH" bun run check

Summary by CodeRabbit

• New Features

  • Added tokenleak cursor doctor command for diagnosing Cursor connection issues.
  • Added support for configuring proxy settings and TLS inspection on protected networks and corporate VPNs.

• Documentation

  • Updated README with troubleshooting guidance for protected networks, including proxy configuration and CA certificate setup instructions.

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

📝 Walkthrough

Walkthrough

This PR adds a tokenleak cursor doctor diagnostic command to help users troubleshoot network connectivity on protected networks, proxies, and corporate VPNs. It introduces network settings resolution from environment variables, error classification for network failures, a diagnostic API for endpoint reachability checking, and a corresponding CLI command with formatted output and optional token validation.

Changes

Cursor Network Diagnostics and Doctor Command

Layer / File(s)	Summary
Network diagnostic types and infrastructure packages/registry/src/cursor-auth.ts	Defines CursorNetworkFailureKind, CursorNetworkSettings, CursorNetworkClassification, and diagnostic check/result types. Implements resolveCursorNetworkSettings to parse proxy, NO_PROXY rules, TLS CA files, and timeouts from environment; adds classifyCursorNetworkError to categorize and format network failures.
Network request handling and error integration packages/registry/src/cursor-auth.ts	Replaces fixed-timeout fetch with configurable fetchWithTimeout that applies network settings (proxy, TLS, CA). Updates validateCursorSession and CSV fetch error paths to use new network error classification and formatting.
Cursor diagnostic connection API and tests packages/registry/src/cursor-auth.ts, packages/registry/src/cursor-auth.test.ts	Implements diagnoseCursorConnection to perform baseline and optional token-authenticated connectivity checks against Cursor endpoints. Tests validate proxy resolution, NO_PROXY matching, CA file handling, error classification (DNS/TLS/proxy/timeout), and confirm secret redaction in results.
Public API re-exports for network diagnostics packages/registry/src/index.ts	Re-exports resolveCursorNetworkSettings, classifyCursorNetworkError, diagnoseCursorConnection, and new diagnostic/network types (CursorDiagnosticCheck, CursorDiagnosticResult, CursorNetworkClassification, CursorNetworkFailureKind, CursorNetworkSettings).
CLI doctor command implementation and tests packages/cli/src/cursor.ts, packages/cli/src/cursor.test.ts	Adds tokenleak cursor doctor subcommand with flags --name, --with-token, --insecure-skip-tls-verify. Implements runCursorDoctor to load optional credentials and call diagnoseCursorConnection, with formatDiagnosticCheck and printCursorDoctorResult helpers for formatted output. Tests verify help text, redaction of proxy credentials and tokens, network error messaging with CA file context, and graceful handling of missing CA files.
User documentation for doctor command and VPN troubleshooting README.md	Adds tokenleak cursor doctor command reference to CLI commands list. Introduces "Corporate VPN / protected network" troubleshooting section with guidance on running doctor, configuring proxy, providing TLS inspection CA files, and relevant environment variables (HTTP_PROXY, HTTPS_PROXY, NO_PROXY, TOKENLEAK_CURSOR_CA_FILE, TOKENLEAK_CURSOR_TIMEOUT).

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly Related PRs

• ya-nsh/tokenleak#93: Establishes the baseline tokenleak cursor command structure (login/status/sync); this PR extends runCursorCommand to add the new doctor diagnostic subcommand.
• ya-nsh/tokenleak#101: Implements initial Cursor session validation and CSV fetch networking; this PR extends the same paths with new network classification and diagnoseCursorConnection diagnostics.

Poem

🐰 A doctor for cursors, hopping through the net,
Untangles proxy puzzles and VPN vexes—yet
With proxy credentials safely redacted and tied,
It diagnoses networks with trustworthy pride!
No token leaks here, just clear diagnostic cheer! 🎯

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title '[codex] fix cursor vpn auth diagnostics' directly aligns with the main objective—adding VPN/proxy diagnostics and a doctor command for Cursor authentication issues on protected networks.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/cursor-vpn-auth-diagnostics

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}