Server-side internal flow — no public API change:
- On OAuth2 authorization_code exchange for tstudio-cli app, server
creates a "cursor" PAT with all scopes via direct DB access
- PAT returned as cursor_token field in the token response
- CLI reads it and displays Cursor/DeepSeek setup instructions
- Only created on first login (skipped if "cursor" PAT already exists)
- Token shown once — user must save it
Keeps reqBasicOrRevProxyAuth on public /users/{username}/tokens endpoint.
No token escalation risk — PAT creation is server-internal only.
Also: Bearer auth fix for OAuth2 JWT tokens in CLI API client.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
ozan
e4adcb0757