Context
The Cursor CLI (and any gRPC client) negotiates HTTP/2 via ALPN during the TLS handshake. The upstream Leash MITM proxy doesn't handle this, causing an infinite reconnect loop with "malformed HTTP" errors inside sandboxed containers.
For the duration while it's broken, I created a temporary clone of the leash image, with the fix applied:
ghcr.io/jurooravec/leash:latest-h2patch
Fix submitted upstream
strongdm/leash#71
Workaround in place
vendor/leash — git submodule pointing at JuroOravec/leash branch workaround/h2patch-imageghcr.io/jurooravec/leash:latest-h2patch — patched Docker image built from vendor/leash/Dockerfile.h2patchDEFAULT_LEASH_IMAGE in src/constants.ts — sets this image as the default when spawning Leash- Injection in
src/engines/docker/index.ts — passes LEASH_IMAGE to the Leash process unless the user already set it
Removal steps (once upstream merges and ships a new npm release)
1 DEFAULT_LEASH_IMAGE from src/constants.ts
2. Delete the WORKAROUND(leash-http2) block from src/engines/docker/index.ts
3. Remove the import of DEFAULT_LEASH_IMAGE from src/engines/docker/index.ts
4. git submodule deinit vendor/leash && git rm vendor/leash
5. Remove the [submodule "vendor/leash"] entry from .gitmodules
6. Bump @strongdm/leash to the fixed npm version
Context
The Cursor CLI (and any gRPC client) negotiates HTTP/2 via ALPN during the TLS handshake. The upstream Leash MITM proxy doesn't handle this, causing an infinite reconnect loop with "malformed HTTP" errors inside sandboxed containers.
For the duration while it's broken, I created a temporary clone of the leash image, with the fix applied:
Fix submitted upstream
strongdm/leash#71
Workaround in place
vendor/leash— git submodule pointing atJuroOravec/leashbranchworkaround/h2patch-imageghcr.io/jurooravec/leash:latest-h2patch— patched Docker image built fromvendor/leash/Dockerfile.h2patchDEFAULT_LEASH_IMAGEinsrc/constants.ts— sets this image as the default when spawning Leashsrc/engines/docker/index.ts— passesLEASH_IMAGEto the Leash process unless the user already set itRemoval steps (once upstream merges and ships a new npm release)
1
DEFAULT_LEASH_IMAGEfromsrc/constants.ts2. Delete the
WORKAROUND(leash-http2)block fromsrc/engines/docker/index.ts3. Remove the import of
DEFAULT_LEASH_IMAGEfromsrc/engines/docker/index.ts4.
git submodule deinit vendor/leash && git rm vendor/leash5. Remove the
[submodule "vendor/leash"]entry from.gitmodules6. Bump
@strongdm/leashto the fixed npm version