feat: implement desktop detectors for Cursor and Codex App (issue #20)

* feat(rust): add desktop detector error signaling for missing and permission failures (issue #20)

* test(ts): add desktop detector contracts and update cli reason-code assertions (issue #20)

Author: thundermiracle

src-tauri/src/detection/path_based.rs

@@ -29,17 +29,21 @@ pub fn evaluate_path_based_detector(
     let config_probe =
         probe_config_path(config.config_override_env_var, config.config_fallback_paths);
 
-    let (config_path, override_invalid_path) = match config_probe {
+    let (config_path, probe_issue) = match config_probe {
         ConfigProbe::Resolved(path) => (Some(path), None),
-        ConfigProbe::OverrideInvalid(path) => (None, Some(path)),
+        ConfigProbe::OverrideMissing(path) => (None, Some(ProbeIssue::OverrideMissing(path))),
+        ConfigProbe::OverridePermissionDenied(path) => {
+            (None, Some(ProbeIssue::OverridePermissionDenied(path)))
+        }
+        ConfigProbe::PermissionDenied(path) => (None, Some(ProbeIssue::PermissionDenied(path))),
         ConfigProbe::Missing => (None, None),
     };
 
     let (status, confidence, note) = resolve_status_and_note(
         config,
         binary_path.is_some(),
         config_path.is_some(),
-        override_invalid_path.as_deref(),
+        probe_issue.as_ref(),
     );
 
     let evidence = DetectionEvidence {
@@ -61,21 +65,46 @@ pub fn evaluate_path_based_detector(
     }
 }
 
+#[derive(Debug, Clone)]
+enum ProbeIssue {
+    OverrideMissing(String),
+    OverridePermissionDenied(String),
+    PermissionDenied(String),
+}
+
 fn resolve_status_and_note(
     config: &PathBasedDetectorConfig,
     binary_found: bool,
     config_found: bool,
-    override_invalid_path: Option<&str>,
+    probe_issue: Option<&ProbeIssue>,
 ) -> (DetectionStatus, u8, String) {
-    if let Some(invalid_path) = override_invalid_path {
-        return (
-            DetectionStatus::Partial,
-            20,
-            format!(
-                "[config_override_invalid] {} override '{}' is set but unreadable: {}",
-                config.display_name, config.config_override_env_var, invalid_path
+    if let Some(issue) = probe_issue {
+        return match issue {
+            ProbeIssue::OverrideMissing(path) => (
+                DetectionStatus::Partial,
+                20,
+                format!(
+                    "[config_override_missing] {} override '{}' points to missing config: {}",
+                    config.display_name, config.config_override_env_var, path
+                ),
             ),
-        );
+            ProbeIssue::OverridePermissionDenied(path) => (
+                DetectionStatus::Error,
+                0,
+                format!(
+                    "[config_permission_denied] {} override '{}' is not readable: {}",
+                    config.display_name, config.config_override_env_var, path
+                ),
+            ),
+            ProbeIssue::PermissionDenied(path) => (
+                DetectionStatus::Error,
+                0,
+                format!(
+                    "[config_permission_denied] {} fallback config is not readable: {}",
+                    config.display_name, path
+                ),
+            ),
+        };
     }
 
     match config.kind {
@@ -150,10 +179,10 @@ fn resolve_status_and_note(
 mod tests {
     use crate::contracts::{common::ClientKind, detect::DetectionStatus};
 
-    use super::{DetectorKind, PathBasedDetectorConfig, resolve_status_and_note};
+    use super::{DetectorKind, PathBasedDetectorConfig, ProbeIssue, resolve_status_and_note};
 
     #[test]
-    fn invalid_override_resolves_to_partial_state() {
+    fn missing_override_resolves_to_partial_state() {
         let config = PathBasedDetectorConfig {
             client: ClientKind::CodexCli,
             display_name: "Test CLI",
@@ -163,13 +192,19 @@ mod tests {
             config_fallback_paths: &[],
         };
 
-        let (status, confidence, note) =
-            resolve_status_and_note(&config, false, false, Some("/definitely/not/a/file.json"));
+        let (status, confidence, note) = resolve_status_and_note(
+            &config,
+            false,
+            false,
+            Some(&ProbeIssue::OverrideMissing(
+                "/definitely/not/a/file.json".to_string(),
+            )),
+        );
 
         assert!(matches!(status, DetectionStatus::Partial));
         assert_eq!(confidence, 20);
         assert!(note.contains("AI_MANAGER_TEST_INVALID_OVERRIDE"));
-        assert!(note.contains("[config_override_invalid]"));
+        assert!(note.contains("[config_override_missing]"));
     }
 
     #[test]
@@ -202,4 +237,29 @@ mod tests {
             assert!(note.contains(reason_code));
         }
     }
+
+    #[test]
+    fn desktop_detector_surfaces_permission_failures_as_error() {
+        let config = PathBasedDetectorConfig {
+            client: ClientKind::Cursor,
+            display_name: "Cursor",
+            kind: DetectorKind::Desktop,
+            binary_candidates: &[],
+            config_override_env_var: "AI_MANAGER_CURSOR_MCP_CONFIG",
+            config_fallback_paths: &[],
+        };
+
+        let (status, confidence, note) = resolve_status_and_note(
+            &config,
+            false,
+            false,
+            Some(&ProbeIssue::PermissionDenied(
+                "/tmp/unreadable/mcp.json".to_string(),
+            )),
+        );
+
+        assert!(matches!(status, DetectionStatus::Error));
+        assert_eq!(confidence, 0);
+        assert!(note.contains("[config_permission_denied]"));
+    }
 }

src-tauri/src/detection/probe.rs

@@ -3,7 +3,9 @@ use std::path::{Path, PathBuf};
 
 pub enum ConfigProbe {
     Resolved(String),
-    OverrideInvalid(String),
+    OverrideMissing(String),
+    OverridePermissionDenied(String),
+    PermissionDenied(String),
     Missing,
 }
 
@@ -28,20 +30,40 @@ pub fn probe_config_path_with_override(
 ) -> ConfigProbe {
     if let Some(override_value) = override_value {
         let expanded = expand_user_path(override_value);
-        if is_readable_file(&expanded) {
-            return ConfigProbe::Resolved(expanded.to_string_lossy().to_string());
-        }
-
-        return ConfigProbe::OverrideInvalid(expanded.to_string_lossy().to_string());
+        return match file_access_outcome(&expanded) {
+            FileAccessOutcome::ReadableFile => {
+                ConfigProbe::Resolved(expanded.to_string_lossy().to_string())
+            }
+            FileAccessOutcome::PermissionDenied => {
+                ConfigProbe::OverridePermissionDenied(expanded.to_string_lossy().to_string())
+            }
+            FileAccessOutcome::NotFoundOrNotFile => {
+                ConfigProbe::OverrideMissing(expanded.to_string_lossy().to_string())
+            }
+        };
     }
 
+    let mut first_permission_denied: Option<String> = None;
+
     for fallback in fallbacks {
         let expanded = expand_user_path(fallback);
-        if is_readable_file(&expanded) {
-            return ConfigProbe::Resolved(expanded.to_string_lossy().to_string());
+        match file_access_outcome(&expanded) {
+            FileAccessOutcome::ReadableFile => {
+                return ConfigProbe::Resolved(expanded.to_string_lossy().to_string());
+            }
+            FileAccessOutcome::PermissionDenied => {
+                if first_permission_denied.is_none() {
+                    first_permission_denied = Some(expanded.to_string_lossy().to_string());
+                }
+            }
+            FileAccessOutcome::NotFoundOrNotFile => {}
         }
     }
 
+    if let Some(path) = first_permission_denied {
+        return ConfigProbe::PermissionDenied(path);
+    }
+
     ConfigProbe::Missing
 }
 
@@ -62,8 +84,25 @@ fn expand_user_path(value: &str) -> PathBuf {
     PathBuf::from(value)
 }
 
-fn is_readable_file(path: &Path) -> bool {
-    path.is_file() && std::fs::File::open(path).is_ok()
+#[derive(Debug, Clone, Copy, PartialEq, Eq)]
+enum FileAccessOutcome {
+    ReadableFile,
+    PermissionDenied,
+    NotFoundOrNotFile,
+}
+
+fn file_access_outcome(path: &Path) -> FileAccessOutcome {
+    if !path.is_file() {
+        return FileAccessOutcome::NotFoundOrNotFile;
+    }
+
+    match std::fs::File::open(path) {
+        Ok(_) => FileAccessOutcome::ReadableFile,
+        Err(error) if error.kind() == std::io::ErrorKind::PermissionDenied => {
+            FileAccessOutcome::PermissionDenied
+        }
+        Err(_) => FileAccessOutcome::NotFoundOrNotFile,
+    }
 }
 
 fn find_command_in_path(command: &str) -> Option<PathBuf> {
@@ -111,7 +150,7 @@ mod tests {
         let _ = fs::remove_file(&fallback_path);
         let _ = fs::remove_dir(&temp_dir);
 
-        assert!(matches!(outcome, ConfigProbe::OverrideInvalid(_)));
+        assert!(matches!(outcome, ConfigProbe::OverrideMissing(_)));
     }
 
     #[test]
@@ -136,4 +175,53 @@ mod tests {
 
         assert!(matches!(outcome, ConfigProbe::Resolved(_)));
     }
+
+    #[test]
+    fn override_path_reports_permission_denied_when_file_is_unreadable() {
+        let temp_dir = std::env::temp_dir().join(format!(
+            "ai-manager-detection-test-permission-{}",
+            std::process::id()
+        ));
+        let _ = fs::create_dir_all(&temp_dir);
+
+        let protected_file = temp_dir.join("protected-config.json");
+        fs::write(&protected_file, "{}").expect("should create protected fixture");
+
+        #[cfg(unix)]
+        {
+            use std::os::unix::fs::PermissionsExt;
+            let mut perms = fs::metadata(&protected_file)
+                .expect("protected file metadata should exist")
+                .permissions();
+            perms.set_mode(0o000);
+            fs::set_permissions(&protected_file, perms).expect("should change protected mode");
+        }
+
+        let protected_str = protected_file
+            .to_str()
+            .expect("protected path should be valid utf-8");
+
+        let outcome = probe_config_path_with_override(Some(protected_str), &[]);
+
+        #[cfg(unix)]
+        {
+            use std::os::unix::fs::PermissionsExt;
+            let mut perms = fs::metadata(&protected_file)
+                .expect("protected file metadata should exist")
+                .permissions();
+            perms.set_mode(0o644);
+            let _ = fs::set_permissions(&protected_file, perms);
+        }
+
+        let _ = fs::remove_file(&protected_file);
+        let _ = fs::remove_dir(&temp_dir);
+
+        #[cfg(unix)]
+        assert!(matches!(outcome, ConfigProbe::OverridePermissionDenied(_)));
+        #[cfg(not(unix))]
+        assert!(matches!(
+            outcome,
+            ConfigProbe::OverridePermissionDenied(_) | ConfigProbe::Resolved(_)
+        ));
+    }
 }

tests/cli-detectors.test.mjs

@@ -34,5 +34,5 @@ test("cli detector reason codes distinguish missing binary vs missing config", (
   assert.match(pathBasedDetector, /\[config_missing\]/);
   assert.match(pathBasedDetector, /\[binary_missing\]/);
   assert.match(pathBasedDetector, /\[binary_and_config_missing\]/);
-  assert.match(pathBasedDetector, /\[config_override_invalid\]/);
+  assert.match(pathBasedDetector, /\[config_override_missing\]/);
 });

tests/desktop-detectors.test.mjs

@@ -0,0 +1,38 @@
+import assert from "node:assert/strict";
+import { readFileSync } from "node:fs";
+import test from "node:test";
+
+const cursorDetector = readFileSync(
+  new URL("../src-tauri/src/detection/clients/cursor.rs", import.meta.url),
+  "utf8",
+);
+const codexAppDetector = readFileSync(
+  new URL("../src-tauri/src/detection/clients/codex_app.rs", import.meta.url),
+  "utf8",
+);
+const pathBasedDetector = readFileSync(
+  new URL("../src-tauri/src/detection/path_based.rs", import.meta.url),
+  "utf8",
+);
+const probeImplementation = readFileSync(
+  new URL("../src-tauri/src/detection/probe.rs", import.meta.url),
+  "utf8",
+);
+
+test("cursor detector includes app-data fallback candidates", () => {
+  assert.match(cursorDetector, /config_override_env_var: "AI_MANAGER_CURSOR_MCP_CONFIG"/);
+  assert.match(cursorDetector, /~\/.cursor\/mcp\.json/);
+  assert.match(cursorDetector, /Library\/Application Support\/Cursor\/User\/mcp\.json/);
+});
+
+test("codex app detector includes app-data fallback candidates", () => {
+  assert.match(codexAppDetector, /config_override_env_var: "AI_MANAGER_CODEX_APP_MCP_CONFIG"/);
+  assert.match(codexAppDetector, /Library\/Application Support\/Codex\/mcp\.json/);
+  assert.match(codexAppDetector, /~\/.config\/Codex\/mcp\.json/);
+});
+
+test("desktop detector and probe surface permission failures clearly", () => {
+  assert.match(pathBasedDetector, /\[config_permission_denied\]/);
+  assert.match(probeImplementation, /OverridePermissionDenied/);
+  assert.match(probeImplementation, /PermissionDenied/);
+});