Skip to content

feat(cursor): add token cost report with Cursor-metered total#1745

Open
EClinick wants to merge 16 commits into
steipete:mainfrom
EClinick:feat/cursor-token-cost
Open

feat(cursor): add token cost report with Cursor-metered total#1745
EClinick wants to merge 16 commits into
steipete:mainfrom
EClinick:feat/cursor-token-cost

Conversation

@EClinick

@EClinick EClinick commented Jun 24, 2026

Copy link
Copy Markdown

Owner decision — product/privacy hold

Decision requested: Should CodexBar fetch detailed Cursor usage-event history through the existing cookie-authenticated dashboard session to calculate per-day/per-model cost estimates, or should Cursor remain limited to its summary usage/status data?

Tradeoff: The report makes otherwise hidden API-rate and Cursor-metered totals useful in the app and CLI. It also expands an authenticated dashboard integration into detailed event-history collection, depends on a private endpoint contract, and presents estimates that users may read as billing truth.

Recommendation: Do not land the current behavior yet. Prefer an explicit opt-in plus approved privacy/source wording before enabling this network-backed history fetch. If the owner accepts the existing-auth/no-new-setting model, the implementation below is prepared and exact-head CI is the remaining mechanical gate.

This PR is intentionally held for that owner decision; green CI does not make it merge-ready.

Summary

Adds a Cursor token-cost report to CodexBar, sourced from Cursor's cookie-authenticated dashboard API and reusing the existing Cursor session resolution (the same auth path as the status probe). Each usage event carries both a vendor list-price token cost (tokenUsage.totalCents) and the amount Cursor's plan actually deducts (chargedCents), so a single fetch yields both an API-rate per-day/per-model breakdown and a "Cursor-metered" window total covering the exact same window.

Core

  • CursorUsageEventsFetcher: pages POST /api/dashboard/get-filtered-usage-events, dedupes events on their natural key, and shapes them into a CostUsageDailyReport (API-rate) plus a metered window total (sum of chargedCents). Lenient numeric decoding handles Cursor serializing some numbers as strings, and the CSRF-protected POST sends the required Origin header.
  • CursorStatusProbe: generalized resolveSession so status and cost share one session-resolution flow (manual cookie, cached cookie, browser cookies, stored session, Cursor.app fallback); added fetchCostReport on top of it.
  • CostUsageFetcher: macOS-only Cursor branch over a rolling historyDays window (like Codex/Claude), with the session line tied to the current local day.
  • Enabled the Cursor tokenCost capability and added a Cursor-specific cost-estimate hint.

CLI

  • codexbar cost --provider cursor, honoring --days (1…365).
  • Reuses the usage path's cookie-source policy: skips with a notice when Cursor cookies are Off, and forwards the Manual header so the dashboard request uses the configured session instead of auto-resolving a different one. Cursor cost is gated to macOS.
  • Text output adds a Cursor-metered: $X (window) line; JSON adds meteredCostUSD. The unsupported-provider error lists supported providers dynamically.

App (UI)

  • Menu cost card renders the Cursor-metered line alongside the API-rate estimate, the Cursor dashboard hint, and an inline windowed cost chart consistent with other providers.

Live proof — codexbar cost --provider cursor

$ codexbar cost --provider cursor
Cursor Cost (API-rate estimate)
Today: $101.24 · 108M tokens
Last 30 days: $465.85 · 367M tokens
Cursor-metered: $4.76 (last 30 days)
From Cursor's usage dashboard at vendor token rates; may differ from your invoice.
$ codexbar cost --provider cursor --format json   # compact slice
{
  "provider": "cursor",
  "source": "web",
  "currencyCode": "USD",
  "historyDays": 30,
  "sessionCostUSD": 101.58,
  "last30DaysCostUSD": 466.19,
  "meteredCostUSD": 4.76,
  "daily_sample": [
    {
      "date": "2026-06-24",
      "totalCost": 101.58,
      "totalTokens": 108852907,
      "modelsUsed": ["example-released-model"],
      "modelBreakdowns": [
        { "modelName": "example-released-model", "totalTokens": 108852907, "cost": 101.58 }
      ]
    }
  ]
}

source: "web" confirms the live dashboard fetch; the Cursor-metered total and the per-model breakdown are both present. (Real token counts/amounts, lightly trimmed.)

Tests

  • CursorUsageEventsFetcherTests: pagination/dedupe, metered-cents summing (including nil-vs-zero), per-day/per-model mapping, and current-local-day session selection.
  • CursorStatusProbeTests: cost-report path over the shared session resolution.

Commands run

  • swift build --product CodexBarCLI — clean.
  • swift test --filter CursorUsageEventsFetcherTests — 10/10 passing (full Xcode toolchain).
  • make start — full app build, sign, and launch clean.

Screenshots

image image image image

Notes

  • Cost is fetched over the network from Cursor's dashboard API using existing cookie-based auth, consistent with other network-backed providers (e.g. Bedrock). No new dependencies.

Cursor previously surfaced only status/quota, not per-model token cost.
Add a cost report sourced from Cursor's cookie-authenticated dashboard
API, reusing the existing Cursor session resolution.

Core:
- CursorUsageEventsFetcher pages get-filtered-usage-events, dedupes, and
  shapes events into an API-rate per-day/per-model report plus a
  Cursor-metered window total (sum of chargedCents). One fetch backs both
  numbers so they always cover the same window.
- CursorStatusProbe.resolveSession generalizes the auth path so status and
  cost share one session-resolution flow; fetchCostReport runs on it.
- CostUsageFetcher gains a macOS-only Cursor branch and a fetchAllHistory
  option (all-time window plus "All time" label when set).
- Enable Cursor tokenCost capability and add a Cursor cost-estimate hint.

CLI:
- codexbar cost --provider cursor with --days and a new --all flag.
- Text adds a "Cursor-metered" window line; JSON adds meteredCostUSD.

App:
- Menu cost card shows the Cursor-metered line; Preferences gains a global
  "Fetch full Cursor cost history" toggle wired through the settings store
  and the UsageStore refresh scope.

Tests:
- CursorUsageEventsFetcher pagination/dedupe/metered-cents and daily report
  mapping; CursorStatusProbe cost-report path.
Copilot AI review requested due to automatic review settings June 24, 2026 21:41

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

@clawsweeper

clawsweeper Bot commented Jun 24, 2026

Copy link
Copy Markdown

Codex review: needs real behavior proof before merge. Reviewed July 1, 2026, 4:27 AM ET / 08:27 UTC.

Summary
The PR adds macOS Cursor token-cost reporting from Cursor dashboard usage events across core fetchers, CLI/server output, menu UI, settings, and focused tests.

Reproducibility: yes. for the review blockers from source inspection: PR head keys Auto-mode cost scope only by cursorCookie=auto, and current docs still describe the old Claude/Codex local-cost contract. I did not run live Cursor provider probes because repository policy warns against unrequested validation that can touch real cookies or Keychain prompts.

Review metrics: 3 noteworthy metrics.

  • Changed surface: 20 files changed, +1190/-69. The PR spans core fetching, session resolution, app UI, CLI/server output, and tests, so upgrade and proof review matter before merge.
  • Docs delta: 0 docs files changed. The PR changes user-facing app, CLI, and server behavior while current docs still describe the old cost contract.
  • Authenticated endpoint: 1 new dashboard POST. The new Cursor cost source sends resolved cookies to a detailed usage-event endpoint, which green parser tests do not settle.

Merge readiness
Overall: 🦪 silver shellfish
Proof: 🦪 silver shellfish
Patch quality: 🦐 gold shrimp
Result: blocked until stronger real behavior proof is added.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

  • [P1] Add refreshed redacted menu and CLI proof after the final auth/privacy contract is selected.
  • [P1] Fix or explicitly resolve the Cursor Auto-mode cost cache identity behavior.
  • Document Cursor dashboard cost behavior in Cursor and CLI docs.

Proof guidance:

  • [P1] Needs stronger real behavior proof before merge: The PR body has copied CLI output and screenshots, but the owner requested refreshed redacted packaged menu/CLI proof after the final auth/UI contract and adjacent overlap are resolved; update the PR body after adding proof so ClawSweeper can re-review, or ask a maintainer to comment @clawsweeper re-review.

Mantis proof suggestion
The menu and CLI behavior is user-visible, and refreshed proof would materially help after the final auth/UI contract is chosen. A maintainer can ask Mantis to capture proof by posting this exact PR comment:

@openclaw-mantis visual task: verify CodexBar shows Cursor token cost with a Cursor-metered line and dashboard-source copy, plus redacted codexbar cost --provider cursor output.

Risk before merge

  • [P1] The PR expands Cursor's cookie-authenticated dashboard session into detailed usage-event history collection, which the owner explicitly held for a product/privacy decision.
  • [P1] Existing users with global cost usage enabled may start seeing new network-backed Cursor cost refreshes and menu output after upgrade because Cursor changes from unsupported to supported.
  • [P1] In Auto mode, a resolved Cursor account/session change can leave the previous account's token-cost snapshot visible until TTL expiry or a forced refresh.
  • [P1] The user-facing docs still describe the old local Claude/Codex cost contract and do not document Cursor's remote dashboard endpoint, metered total, cache/pagination behavior, or CLI/server output.
  • [P1] The current screenshots and copied CLI output should be refreshed after the final auth/UI contract and adjacent provider/menu overlap are resolved.

Maintainer options:

  1. Fix Cache, Docs, And Proof Before Merge (recommended)
    Resolve Auto-mode cache identity, document the remote Cursor cost contract, and refresh redacted packaged menu/CLI proof before owner approval.
  2. Accept Dashboard-Cookie Cost Behavior
    A maintainer can explicitly approve the existing-auth dashboard cost model once the upgrade behavior and user-facing wording are documented.
  3. Pause Core Cursor Cost
    If the private endpoint or cookie-auth privacy model is not acceptable for core, pause this PR or narrow it to reusable parsing/tests without enabling the feature.

Next step before merge

  • [P1] Owner product/auth acceptance is the main blocker; the cache and docs repairs are bounded but should follow that decision rather than an autonomous repair lane taking over the PR.

Security
Needs attention: No supply-chain issue was found, but the new cookie-authenticated Cursor dashboard POST needs explicit owner auth/privacy acceptance.

Review findings

  • [P1] Include Cursor auto session identity in cost scope — Sources/CodexBar/UsageStore.swift:1524-1530
  • [P2] Document the remote Cursor cost contract — Sources/CodexBarCore/Providers/Cursor/CursorProviderDescriptor.swift:33-34
Review details

Best possible solution:

Land a documented, explicitly accepted Cursor dashboard cost source after fixing Auto-mode cache identity, refreshing redacted packaged menu/CLI proof, and resolving the owner’s auth/privacy decision and provider-menu overlap with #1736.

Do we have a high-confidence way to reproduce the issue?

Yes for the review blockers from source inspection: PR head keys Auto-mode cost scope only by cursorCookie=auto, and current docs still describe the old Claude/Codex local-cost contract. I did not run live Cursor provider probes because repository policy warns against unrequested validation that can touch real cookies or Keychain prompts.

Is this the best way to solve the issue?

No, not yet. The implementation is close and has focused tests, but the best merge path needs owner auth/privacy acceptance, resolved Cursor identity in the cost cache scope, user-facing docs, and refreshed final UI/CLI proof.

Full review comments:

  • [P1] Include Cursor auto session identity in cost scope — Sources/CodexBar/UsageStore.swift:1524-1530
    In Auto mode this suffix records only cursorCookie=auto, so if the cached/browser/app Cursor session changes to another account within the TTL, the guard below can return the previous account's cost snapshot. Include a resolved account/session fingerprint or clear the token-cost markers when Cursor identity changes.
    Confidence: 0.88
  • [P2] Document the remote Cursor cost contract — Sources/CodexBarCore/Providers/Cursor/CursorProviderDescriptor.swift:33-34
    Changing Cursor to supportsTokenCost: true exposes a new cookie-authenticated dashboard source in the app, CLI, and server, but this PR changes no docs and current docs still list the old Cursor endpoints and cost JSON shape. Add the endpoint/auth fallback, remote-vs-local totals, pagination/cache behavior, and meteredCostUSD output docs before merge.
    Confidence: 0.86

Overall correctness: patch is incorrect
Overall confidence: 0.88

AGENTS.md: found and applied where relevant.

Codex review notes: model internal, reasoning high; reviewed against 46b493fc45bd.

Label changes

Label changes:

  • add rating: 🦪 silver shellfish: Overall readiness is 🦪 silver shellfish; proof is 🦪 silver shellfish and patch quality is 🦐 gold shrimp.
  • remove rating: 🦐 gold shrimp: Current PR rating is rating: 🦪 silver shellfish, so this older rating label is no longer current.

Label justifications:

  • P2: This is a normal-priority provider feature with bounded but real auth/privacy, docs, proof, and cache-correctness blockers.
  • merge-risk: 🚨 compatibility: Enabling Cursor token cost can change existing users' cost refresh and menu behavior when global cost usage is already enabled.
  • merge-risk: 🚨 auth-provider: The PR routes resolved Cursor cookies through a new dashboard cost endpoint and shares session resolution across status and cost.
  • rating: 🦪 silver shellfish: Overall readiness is 🦪 silver shellfish; proof is 🦪 silver shellfish and patch quality is 🦐 gold shrimp.
  • status: 📣 needs proof: The PR needs real behavior proof before ClawSweeper can clear the contributor ask. Needs stronger real behavior proof before merge: The PR body has copied CLI output and screenshots, but the owner requested refreshed redacted packaged menu/CLI proof after the final auth/UI contract and adjacent overlap are resolved; update the PR body after adding proof so ClawSweeper can re-review, or ask a maintainer to comment @clawsweeper re-review.
  • proof: 📸 screenshot: Contributor real behavior proof includes screenshot evidence. The PR body has copied CLI output and screenshots, but the owner requested refreshed redacted packaged menu/CLI proof after the final auth/UI contract and adjacent overlap are resolved; update the PR body after adding proof so ClawSweeper can re-review, or ask a maintainer to comment @clawsweeper re-review.
Evidence reviewed

Security concerns:

  • [medium] Accept Cursor dashboard cookie use — Sources/CodexBarCore/Providers/Cursor/CursorUsageEventsFetcher.swift:266
    The new fetcher sends the resolved Cursor Cookie header to /api/dashboard/get-filtered-usage-events; even with Off and Manual safeguards, this broadens how Cursor auth is used and should be explicitly accepted before merge.
    Confidence: 0.88

Acceptance criteria:

  • [P1] swift test --filter CursorUsageEventsFetcherTests.
  • [P1] swift test --filter CursorStatusProbeTests.
  • [P1] swift test --filter CLICostTests.
  • [P1] swift test --filter CLIServeRouterTests.
  • [P1] make check.

What I checked:

Likely related people:

  • steipete: Current-main blame ties the Cursor descriptor, token-cost scope baseline, CostUsageFetcher, and docs baseline to Peter Steinberger, and the latest branch commit plus owner review comments are also from steipete. (role: current area reviewer and recent owner; confidence: high; commits: f380287041b8, 43c87553e123, 80803fb50ee3; files: Sources/CodexBarCore/Providers/Cursor/CursorProviderDescriptor.swift, Sources/CodexBar/UsageStore.swift, Sources/CodexBarCore/CostUsageFetcher.swift)
  • Ratul Sarna: History shows Ratul Sarna introduced dashboard-aligned Cursor usage support and fallback scanning in files adjacent to the new usage-event and status-probe path. (role: Cursor usage feature contributor; confidence: medium; commits: b334afa24a2c, 48420e13e9c5, a04986b8b4a6; files: Sources/CodexBarCore/Providers/Cursor/CursorStatusProbe.swift)
  • Jackie-Qin: Earlier Cursor app-auth fallback and cookie precedence commits are relevant to the session resolution path reused by this PR. (role: Cursor auth precedence contributor; confidence: medium; commits: 5d7c00bcd9c5, f29ededc4460, 1b0e2f1a7828; files: Sources/CodexBarCore/Providers/Cursor/CursorStatusProbe.swift)
  • Zihao Qi: Recent current-main cost/day presentation work touched CostUsageFetcher and related model/display paths that this PR extends for Cursor cost windows. (role: recent adjacent cost contributor; confidence: medium; commits: 929d55aaf1d7; files: Sources/CodexBarCore/CostUsageFetcher.swift)
  • Yashiel Sookdeo: A recently merged Cursor cost-area PR added personal on-demand spend alongside team pool near this PR's Cursor cost/menu surface. (role: adjacent Cursor cost contributor; confidence: medium; commits: 2673d92cb075; files: Sources/CodexBar/MenuCardView+Costs.swift, Sources/CodexBarCore/Providers/Cursor/CursorStatusProbe.swift)
What the crustacean ranks mean
  • 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
  • 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
  • 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
  • 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
  • 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
  • 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
  • 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works
  • ClawSweeper keeps one durable marker-backed review comment per issue or PR.
  • Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
  • A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
  • PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
  • Maintainers can also comment @clawsweeper review to request a fresh review only.
  • Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
  • Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
  • Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 2209a9b639

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread Sources/CodexBar/MenuCardView.swift
Comment thread Sources/CodexBarCore/CostUsageFetcher.swift Outdated
@clawsweeper clawsweeper Bot added rating: 🧂 unranked krab Not merge-ready due to missing proof or serious correctness/safety concerns. status: 📣 needs proof The PR needs real behavior proof before ClawSweeper can clear the contributor ask. P2 Normal priority bug or improvement with limited blast radius. merge-risk: 🚨 auth-provider 🚨 Merging this PR could break OAuth, tokens, provider routing, model choice, or credentials. labels Jun 24, 2026
EClinick added 3 commits June 24, 2026 15:19
… compiling

Adding meteredLine to TokenUsageSection without a default made the synthesized memberwise initializer require it at every call site, breaking existing callers and tests that predate the Cursor-metered line. Add an explicit initializer that defaults meteredLine to nil so those call sites keep compiling.
The Cursor cost fetch always auto-resolved cookies, ignoring the cookie-source setting the status path respects. Thread a cursorCookieHeaderOverride from UsageStore through CostUsageFetcher into the Cursor cost report: forward the manual header when the source is Manual, skip the fetch entirely when it is Off, and fall back to auto resolution otherwise. Include the cookie source in the cost scope signature so toggling re-fetches.
…ping

totalUsageEventsCount used a strict Int decode, so a string-encoded count (the API serializes some numbers as strings) became nil and could short-circuit pagination. Route it through the lenient CursorEventNumber decoder like every other numeric field. Also fix the paginate/dedupe test whose third event timestamp crossed into the next UTC day: it expected one day-entry while the correct grouping produced two. Move it onto the same UTC day so it exercises single-day grouping and dedup as intended.
@EClinick

Copy link
Copy Markdown
Author

@clawsweeper re-review

@clawsweeper

clawsweeper Bot commented Jun 24, 2026

Copy link
Copy Markdown

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

- Add Cursor to the inline cost-dashboard allowlist and key the Preferences
  cost-status line off supportsTokenCost so the Cursor card shows cost like
  Claude/Codex.
- Drop the cursor-specific all-time history feature (the "Fetch full Cursor
  cost history" toggle, its settings plumbing, the CLI --all flag, the
  "All time" label, and the history-span sizing). Cursor now uses the shared
  "History window: N days" setting, so the inline chart draws legible windowed
  bars instead of the full account history.
- Keep the Cursor-metered total, now scoped to the selected window.
@clawsweeper clawsweeper Bot added proof: 📸 screenshot Contributor real behavior proof includes screenshot evidence. merge-risk: 🚨 compatibility 🚨 Merging this PR could break existing users, config, migrations, defaults, or upgrades. labels Jun 24, 2026
@EClinick

Copy link
Copy Markdown
Author

@openclaw-mantis visual task: verify CodexBar shows Cursor token cost with a Cursor-metered line and dashboard-source copy using redacted Cursor account data.

EClinick added 3 commits June 24, 2026 17:29
loadCursorTokenSnapshot now derives the session value from the current
local day instead of the latest history entry, so a stale day is never
labeled "Today" in the menu or CLI. This matches the Codex/Claude cost
window behavior. Adds a focused test covering the stale-latest case.
tokenUsageHint had no Cursor case, so the shared menu/inline cost card
fell back to the generic local-logs estimate copy for dashboard-derived
Cursor data. Return the Cursor dashboard hint instead.
CLI `cost --provider cursor` now resolves the configured Cursor cookie
source the same way the usage path does: it skips the fetch (with a
notice) when cookies are Off and forwards the Manual header so the
dashboard request uses the configured session instead of auto-resolving
a different one. Also gates Cursor in costSupportedProviders to macOS,
since supportsTokenSnapshot(.cursor) is macOS-only and the CLI otherwise
advertised Cursor cost on platforms where it can only fail.
@EClinick

Copy link
Copy Markdown
Author

@clawsweeper re-review

@clawsweeper

clawsweeper Bot commented Jun 25, 2026

Copy link
Copy Markdown

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

@EClinick

Copy link
Copy Markdown
Author

@codex review

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 8632505417

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread Sources/CodexBarCore/CostUsageFetcher.swift Outdated
Comment thread Sources/CodexBar/UsageStore.swift Outdated
@EClinick

Copy link
Copy Markdown
Author

@clawsweeper re-review

@clawsweeper clawsweeper Bot added rating: 🦪 silver shellfish Thin PR readiness signal; proof, validation, or implementation needs work. and removed proof: 📸 screenshot Contributor real behavior proof includes screenshot evidence. rating: 🧂 unranked krab Not merge-ready due to missing proof or serious correctness/safety concerns. labels Jun 25, 2026
@clawsweeper clawsweeper Bot added rating: 🧂 unranked krab Not merge-ready due to missing proof or serious correctness/safety concerns. and removed rating: 🦪 silver shellfish Thin PR readiness signal; proof, validation, or implementation needs work. labels Jun 25, 2026
Extracts the window-start normalization into CostUsageFetcher.cursorWindowStart
and adds a focused regression test, including the historyDays == 1 case where
`since` equals now and the window must still cover all of today rather than an
empty exact-instant range.
@EClinick

Copy link
Copy Markdown
Author

@clawsweeper rereview

@clawsweeper

clawsweeper Bot commented Jun 25, 2026

Copy link
Copy Markdown

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

EClinick added 2 commits June 24, 2026 18:06
Pull the Cursor cookie-policy logic out of runCost into reusable
type-level helpers so the serve /cost route can apply the same rules:

- costSupportedProviderNames(): one source of truth for the supported
  provider list used in user-facing messages
- cursorCostShouldSkip(_:settings:): true when the cookie source is Off
- cursorCostHeaderOverride(_:settings:): normalized Manual header or nil
- cursorCookieSettings(...) is now internal and documented as shared

No behavior change for the cost command; this only reshapes the code so
the serve route can reuse it without duplication.
The local serve /cost route fetched Cursor cost unconditionally, so it
ignored the configured cookie source. Apply the shared gating helpers:

- skip Cursor when the cookie source is Off
- forward the Manual cookie header so served data matches the session
- report supported providers dynamically via costSupportedProviderNames()

This closes the merge-gate finding that serve /cost bypassed the same
policy already enforced by the cost command.
@clawsweeper clawsweeper Bot removed the proof: 📸 screenshot Contributor real behavior proof includes screenshot evidence. label Jun 25, 2026
@EClinick

Copy link
Copy Markdown
Author

Pushed a fix for the [P1] serve /cost finding.

serveCost now routes Cursor through the same Off/Manual cookie policy as codexbar cost:

  • skips Cursor when the cookie source is Off
  • forwards the normalized Manual cookie header so served data matches the configured session
  • reports supported providers dynamically (no more hardcoded "Claude and Codex")

To avoid duplication, the policy was extracted into shared helpers (cursorCostShouldSkip, cursorCostHeaderOverride, cursorCookieSettings, costSupportedProviderNames) used by both the cost command and the serve /cost route. Commits: 51dd178c (refactor) + 933e16d6 (serve fix).

Flagging the other two P1s for maintainers:

  • UI proof: the latest build now renders the Cursor-metered line and dashboard-source hint; refreshed screenshots are in the PR body.
  • The new cookie-authenticated Cursor dashboard cost source needs an explicit maintainer auth/privacy sign-off.

@clawsweeper re-review

@clawsweeper

clawsweeper Bot commented Jun 25, 2026

Copy link
Copy Markdown

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

@clawsweeper clawsweeper Bot added proof: sufficient Contributor real behavior proof is sufficient. rating: 🐚 platinum hermit Good normal PR readiness with ordinary maintainer review expected. status: 👀 ready for maintainer look ClawSweeper has no concrete contributor-facing blocker left for this PR. and removed rating: 🧂 unranked krab Not merge-ready due to missing proof or serious correctness/safety concerns. status: 📣 needs proof The PR needs real behavior proof before ClawSweeper can clear the contributor ask. labels Jun 25, 2026
@EClinick

Copy link
Copy Markdown
Author

😎

@clawsweeper clawsweeper Bot added proof: 📸 screenshot Contributor real behavior proof includes screenshot evidence. rating: 🦐 gold shrimp Decent PR readiness signal, but merge confidence is limited. status: 📣 needs proof The PR needs real behavior proof before ClawSweeper can clear the contributor ask. and removed proof: sufficient Contributor real behavior proof is sufficient. rating: 🐚 platinum hermit Good normal PR readiness with ordinary maintainer review expected. status: 👀 ready for maintainer look ClawSweeper has no concrete contributor-facing blocker left for this PR. labels Jun 25, 2026
@EClinick

Copy link
Copy Markdown
Author

@steipete 🐐 how's this looking?

Resolve conflicts in two files by combining both intents:
- InlineUsageDashboardContent: keep Cursor in the cost-history provider
  list and adopt main's more specific tokenCostInlineDashboardEnabled gate.
- PreferencesGeneralPane: keep main's cost-summary display-style picker and
  padded VStack wrapper, and add the Cursor cost status line.

Keep `make check` green after the merge:
- DRY UsageStore.refreshTokenUsage via a resetTokenState(for:resetFetchMarkers:)
  helper so the body stays under the function_body_length limit.
- Scope line_length disables to the Cursor usage-event JSON fixtures, matching
  the existing MistralUsageParserTests convention.
@steipete

steipete commented Jul 1, 2026

Copy link
Copy Markdown
Owner

Maintainer review against current main (55327375) and exact head 02bcdede:

The data path is substantially stronger than the older cost proposals: it reuses Cursor auth resolution, paginates and deduplicates events, preserves local-day “Today” semantics, and keeps API-rate estimates separate from Cursor-metered totals. Focused tests are green: CursorUsageEventsFetcherTests (10), CursorStatusProbeTests (38), CostUsageTokenSnapshotDaySelectionTests (5), and CLICostTests (5).

I am holding the merge for the remaining product/auth decision and documentation gap. This adds an authenticated remote dashboard source to the app, CLI, and server, but docs/cursor.md and docs/cli.md still describe the old behavior. Please document the endpoint/auth fallback, the remote-vs-local meaning of the total, pagination/cache behavior, and codexbar cost output before landing. Refresh packaged menu/CLI proof after rebasing; avoid the generic provider/menu overlap in #1736.

Recommendation: approve as an opt-in Cursor dashboard cost source once the auth/privacy choice is explicit and docs/proof match the final UI. No merge from this review.

@steipete

steipete commented Jul 1, 2026

Copy link
Copy Markdown
Owner

Maintainer follow-up: pushed 43c87553e to this branch.

The fix closes the concrete CLI/server contract gap found during review: when Cursor cost is requested while the Cursor cookie source is Off, codexbar cost --provider cursor now fails explicitly (including structured JSON output), and /cost returns a provider error row instead of silently omitting Cursor. Added regression coverage for the disabled-source payload.

Exact-head proof:

  • swift test --filter CLICostTests — 6 passed
  • swift test --filter CLIServeRouterTests — 41 passed
  • make check — passed, including SwiftFormat and strict SwiftLint
  • make test — all 44 shards passed
  • structured autoreview — clean, no accepted/actionable findings
  • GitGuardian Security Checks — passed on 43c87553e

Recommendation remains: keep this open rather than merge yet. The implementation is strong, but enabling authenticated Cursor dashboard access still needs the product/privacy decision, user-facing docs (docs/cursor.md and CLI docs), and coordination with #1736. Refresh packaged screenshots after that overlap lands and the final auth contract is selected.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 43c87553e1

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

} else if let override = cursorCookieHeaderOverride {
"|cursorCookie=manual:\(override.hashValue)"
} else {
"|cursorCookie=\(cursorCookieSource.rawValue)"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Include Cursor auto session identity in the cost scope

When Cursor is in Auto mode this scope records only cursorCookie=auto, so a browser/cached session change to a different Cursor account does not invalidate the cost TTL. If the old cookie is rejected and status refresh imports a new account, the cost refresh below can return early with the previous account's token-cost snapshot until the TTL expires or the user forces a refresh; include an account/session fingerprint for auto resolution or clear these markers when the Cursor identity changes.

Useful? React with 👍 / 👎.

@clawsweeper clawsweeper Bot added rating: 🦪 silver shellfish Thin PR readiness signal; proof, validation, or implementation needs work. and removed rating: 🦐 gold shrimp Decent PR readiness signal, but merge confidence is limited. labels Jul 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

merge-risk: 🚨 auth-provider 🚨 Merging this PR could break OAuth, tokens, provider routing, model choice, or credentials. merge-risk: 🚨 compatibility 🚨 Merging this PR could break existing users, config, migrations, defaults, or upgrades. P2 Normal priority bug or improvement with limited blast radius. proof: 📸 screenshot Contributor real behavior proof includes screenshot evidence. rating: 🦪 silver shellfish Thin PR readiness signal; proof, validation, or implementation needs work. status: 📣 needs proof The PR needs real behavior proof before ClawSweeper can clear the contributor ask.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants