feat(cursor): add sqlite-first auth with keychain fallback

[robinebers]

Description

Add Cursor CLI-compatible auth fallback while keeping Cursor Desktop as the primary token source. The plugin now reads Cursor tokens from Desktop SQLite first and falls back to keychain services used by CLI login.

Related Issue

Fixes #208

Type of Change

• Bug fix
• New feature
• New provider plugin
• Documentation
• Performance improvement
• Other (describe below)

Testing

• I ran bun run build and it succeeded
• I ran bun run test and all tests pass
• I tested the change locally with bun tauri dev

Additional verification performed:

• bun run test plugins/cursor/plugin.test.js (pass)
• bun run test:coverage (fails due existing threshold: plugins/gemini/plugin.js branch coverage 70.61% < 80%)

Screenshots

N/A (no UI changes)

Checklist

• I read CONTRIBUTING.md
• My PR targets the main branch
• I did not introduce new dependencies without justification

Made with Cursor

---

Note

Medium Risk
Changes authentication token sourcing and persistence for the Cursor plugin, which can affect login/refresh behavior if keychain/SQLite interactions differ across environments.

Overview
Updates the Cursor provider to load auth tokens from Cursor Desktop’s SQLite state DB first, with a fallback to Cursor CLI keychain entries when SQLite tokens are missing.

Token refresh now persists the new access token back to the same source it was loaded from (SQLite or keychain), and user-facing error messages now suggest agent login as an alternative sign-in path. Documentation and tests were expanded to cover keychain loading, refresh persistence behavior, and SQLite-vs-keychain precedence.

^{Written by Cursor Bugbot for commit 3e8c07a. This will update automatically on new commits. Configure here.}

---

Summary by cubic

Add SQLite-first auth with Cursor CLI keychain fallback for the Cursor provider. Desktop and agent login both work, and refreshed tokens persist to their source (fixes #208).

• New Features
  • Prefer Desktop SQLite tokens; fall back to CLI keychain (cursor-access-token, cursor-refresh-token).
  • Persist refreshed access tokens to the same source (SQLite or keychain).
  • Clearer auth errors with a login hint: "Sign in via Cursor app or run agent login."
  • Tests for keychain fallback/persistence and SQLite precedence; docs/README updated with CLI auth and token order.

^{Written for commit 62db424. Summary will update on new commits.}

[davidarny]

LGTM!

[cubic-dev-ai]

No issues found across 4 files

[Copilot]

Pull request overview

This PR adds Cursor CLI authentication support to enable usage tracking for users who use agent login instead of or alongside Cursor Desktop. The implementation follows a SQLite-first, keychain-fallback pattern similar to the Claude plugin, ensuring Desktop users are unaffected while CLI users gain full support.

Changes:

• SQLite tokens (Desktop) take precedence; keychain tokens (CLI) serve as fallback
• Token refresh now persists updated access tokens back to their original source
• Enhanced error messages guide users to both Desktop and CLI login options

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

File	Description
plugins/cursor/plugin.js	Implements keychain read/write functions, loadAuthState with source tracking, and updates refreshToken to persist to correct source
plugins/cursor/plugin.test.js	Adds 3 comprehensive tests covering keychain fallback, refresh persistence, and SQLite precedence
docs/providers/cursor.md	Documents dual auth sources, token precedence order, and CLI setup instructions
README.md	Updates Cursor feature list to mention CLI auth support

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[validatedev]

Do not see any potential issue, approved!