# Cursor Testing Lessons ## Purpose This document records maintainer testing lessons for `pi-cursor-sdk`. It complements unit tests and the [Cursor live smoke checklist](./cursor-live-smoke-checklist.md). Use it when adding regression coverage, debugging false-green releases, or building isolated smoke harnesses. ## Core lesson: integration-shaped bugs beat unit mocks The native replay `Tool grep not found` failure was integration-shaped, not unit-shaped: 1. **Plan mode** calls `setActiveTools(["read", "bash", "edit", "write"])` when execution starts. 2. **pi-cursor-sdk** only re-synced native replay wrappers on `session_start` / `model_select`, not every turn. 3. **The provider** still emitted native replay `toolUse` for `grep` / `cursor`. 4. **pi's agent loop** looked up tools in `context.tools` and failed with `Tool grep not found`. Passing hundreds of unit tests did not prove that chain was safe. Regression coverage now includes: - `test/index.test.ts` — `before_agent_start` and `turn_start` resync after plan-style strip - `test/cursor-native-replay-stress.test.ts` — plan strip → resync → grep replay; inactive-tool trace fallbacks - `test/cursor-provider-replay-live-run.test.ts` — inactive replay tools emit trace instead of broken `toolUse` - `test/cursor-native-replay-trace.test.ts` — shared inactive replay trace formatting - `test/cursor-native-replay-routing.test.ts` — `resolveNativeReplayDisposition` and `partitionNativeToolsByActiveContext` When changing provider/runtime behavior, ask whether the bug spans **pi extension lifecycle**, **active tool state**, **provider streaming**, and **persisted JSONL**. If yes, add an integration-style unit test or live smoke coverage for that chain. ## Dual-check invariant: `context.tools` vs pi active tools Native replay routing intentionally uses two layers: 1. **Extension resync** (`before_agent_start`, `turn_start`) updates pi's active tool set via `syncRegisteredNativeCursorToolsForModel`. This fixes the common case where plan-mode execute strips `grep`/`find`/`cursor` before the next turn. 2. **Provider routing** uses the **`context.tools` snapshot** captured when `streamCursor()` starts (`getActiveContextToolNames` in `src/cursor-context-tools.ts`). It does not read live `pi.getActiveTools()` mid-stream. `src/cursor-native-replay-routing.ts` centralizes provider-side routing against the same `context.tools` snapshot: - **Turn coordinator** calls `resolveNativeReplayDisposition()` per completed SDK tool → `queue_replay` (queue native `toolUse`), `inactive_trace` (`formatInactiveCursorReplayTrace()`), or `transcript_trace`. - **Live-run drain** calls `partitionNativeToolsByActiveContext()` on already-queued native tool batches → active tools become `toolUse`; inactive tools get trace only and the batch returns `"handled"` without `toolUse`. Disposition outcomes: - `queue_replay` — tool is in `context.tools` and a live run exists - `inactive_trace` — native replay tool missing from `context.tools` - `transcript_trace` — native replay off or non-native tool If resync runs but `context.tools` is still stale (e.g. only `read` listed), the provider must **not** emit `toolUse` for inactive tools. `test/cursor-native-replay-stress.test.ts` covers that stale-snapshot path. ## Auth: use `auth.json`, not only env pi resolves Cursor auth in this order: 1. pi `--api-key` 2. stored `cursor` key in `~/.pi/agent/auth.json` from `/login` 3. `CURSOR_API_KEY` For live smoke and isolated harnesses: - **Do not assume** `CURSOR_API_KEY` or `~/.secrets` alone is enough. - **Do assume** pi reads auth from the active `HOME`, usually `~/.pi/agent/auth.json`. - Isolated runs with `env -i HOME=/tmp/...` must **copy** `auth.json` into that temporary home before calling `pi`. Example seed step used by `scripts/isolated-cursor-smoke.sh`: ```bash mkdir -p "$HOME/.pi/agent" cp "$REAL_HOME/.pi/agent/auth.json" "$HOME/.pi/agent/auth.json" chmod 600 "$HOME/.pi/agent/auth.json" ``` Fallback when `auth.json` lacks a `cursor` provider entry: ```bash export CURSOR_API_KEY="your-key" ``` Never commit, log, or paste `auth.json` contents, API keys, or session JSONL with secrets. ## Isolated directories: why and how Use isolated `/tmp` trees when validating: - packed tarball install (`npm pack` → extract → `pi install -l`) - clean `HOME` with no inherited shell profile state - plan-mode-style tool stripping via a shim extension - JSONL replay-error scans independent of stdout Recommended layout: ```text /tmp/pi-cursor-sdk-isolated-/ home/ # seeded ~/.pi/agent/auth.json pack/ # npm pack output (*.tgz) extract/package/ # unpacked extension project/ # empty pi project for install -l sessions/ basic/ native-replay/ plan-strip/ ``` Commands: ```bash # full isolated smoke (unit preflight + pack + live pi) npm run smoke:isolated # pack/unit only, no live Cursor calls SKIP_LIVE=1 npm run smoke:isolated # custom artifact root ISOLATED=/tmp/pi-cursor-sdk-isolated-manual npm run smoke:isolated ``` Every live check should use its own `--session-dir` under the isolated tree. Do not reuse session dirs across scenarios. ## Harness traps we hit repeatedly | Trap | What went wrong | Fix | | --- | --- | --- | | Clean `HOME` without auth | `pi` could not authenticate Cursor in isolated runs | Copy `~/.pi/agent/auth.json` into isolated `HOME` | | `npm pack \| tail -1` | Captured npm notice text, not tarball path | Use `ls -t "$PACK_DIR"/*.tgz \| head -1` | | Packed extension, no install | Provider never loaded in isolated project | Run `npm install --omit=dev` inside extracted package | | Inherited shell env | mise/profile hooks hung or polluted runs | Use `env -i ... MISE_DISABLE=1` for isolated pi calls | | No per-check timeout | One stuck prompt blocked entire harness | Wrap each live check with timeout/watchdog | | stdout-only assertions | Missed replay failures persisted only in JSONL | Scan JSONL for `Tool grep/cursor/find/ls not found` | | Plan strip only on first turn | Under-tested multi-turn resync | Shim strips on every `turn_start`; stress multi-turn separately | | Assuming env auth equals pi auth | False "blocked" or false "pass" in CI-like shells | Check `auth.json` provider keys explicitly when needed | ## JSONL is the source of truth for replay regressions Stdout can look fine while persisted tool results contain errors. Prefer structural JSONL scans over grepping terminal output. Replay failure scan: ```bash node scripts/validate-smoke-jsonl.mjs --replay-errors-only "$SESSION_DIR" ``` Combined usage + replay scan after broader smoke: ```bash node scripts/validate-smoke-jsonl.mjs --replay-errors "$SMOKE_DIR" ``` The replay scan fails on records containing: - `Tool grep not found` - `Tool cursor not found` - `Tool find not found` - `Tool ls not found` ## Plan-mode regression scenario Simulate plan-mode execute stripping with the repo fixture: - `scripts/fixtures/plan-strip-shim/index.ts` It sets active tools to `read`, `bash`, `edit`, `write` on each `turn_start`. Run pi with: ```bash pi -e scripts/fixtures/plan-strip-shim --cursor-no-fast --model cursor/composer-2.5 \ --session-dir "$SMOKE_DIR/plan-strip" \ -p 'After reset, read README.md and answer PLAN_STRIP_OK=yes.' ``` Pass criteria: - No replay `Tool * not found` entries in JSONL - Native replay tools (`grep`, `find`, `read`, etc.) succeed after `turn_start` resync - On non-Cursor model switch, native replay wrappers are removed except core pi tools ## Local validation ladder Run in order before claiming release-ready for provider/runtime changes: ```bash npm test npm run typecheck npm pack --dry-run SKIP_LIVE=1 npm run smoke:isolated npm run smoke:isolated # requires auth.json or CURSOR_API_KEY npm run smoke:live # partial tmux checklist subset ``` Then follow the full manual [Cursor live smoke checklist](./cursor-live-smoke-checklist.md) for surfaces the scripts do not cover (bridge MCP, abort/cancel, full TUI observation, packaging review, cleanup). ## What belongs in CI vs manual smoke - **CI / default `npm test`:** mocked provider tests, extension lifecycle tests, JSONL validator tests, script syntax/help checks. No live Cursor calls. - **Manual / pre-release:** `npm run smoke:isolated`, `npm run smoke:live`, and the full checklist. Requires real Cursor auth and observes TUI/runtime behavior mocks cannot reproduce. If live smoke auth is unavailable, report the release as **blocked**, not skipped-ready. ## Related docs and scripts - [Cursor live smoke checklist](./cursor-live-smoke-checklist.md) - [Cursor native tool replay](./cursor-native-tool-replay.md) - `scripts/isolated-cursor-smoke.sh` - `scripts/tmux-live-smoke.sh` - `scripts/validate-smoke-jsonl.mjs` - `test/helpers/cursor-provider-harness.ts` — controllable native replay pi mock (`createNativeToolDisplayPiForTest`)