Developer search intent: SDK cloud runs are not IDE plug-ins

If queries like “Cursor SDK cloud agent stuck”, “Agent API timeout automation”, “MCP handshake behind Mihomo”, or “export HTTPS_PROXY for Cursor CLI job” landed you here, you already skimmed glossy IDE troubleshooting posts and realized they seldom cover unattended workers. The Cursor desktop experience can feel healthy while scripted Agent.create sessions, cron-triggered dashboards, or CI runners lose long polls because the spawning environment never inherited sane proxy tuples or because your rule stack accidentally STARVES SaaS API hosts beneath aggressive GEOIP blocks.

This guide mirrors the pragmatic tone of our Claude Code and OpenAI Codex terminal articles but rotates the protagonist to programmatic Cursor agents. You still standardize on Clash Verge Rev—the maintained Mihomo GUI stack—because observability beats blind toggling: you prepend rules with evidence exported from Connections, harmonize exporters, validate with timed curl, and only escalate to temporary Global flashes or bounded TUN when HTTP libraries refuse to cooperate.

Where Agent API traffic and MCP collide with routing policy

Cursor’s programmable surface stitches together outbound HTTPS for orchestration—the Agent API family you poll or stream against when driving cloud runs from @cursor/sdk—plus optional Model Context Protocol bridges that may be local (stdio to a command you control) or remote (additional HTTPS/WSS edges if you proxy tools through hosted relays). The failure shapes differ:

  • Cloud agent workers initiated from Node, Bun, or bundled CLIs typically rely on modern fetch stacks that honor HTTP_PROXY / HTTPS_PROXY when those variables exist at process start—yet many orchestration harnesses strip them.
  • stdio MCP servers on 127.0.0.1 never traverse Clash unless you misconfigure NO_PROXY; debugging them is about command PATH and permissions—not upstream tunnels.
  • Remote MCP endpoints behave like miniature SaaS microservices and inherit the exact starvation bugs that plague Anthropic or OpenAI API calls when GEOIP directives send traffic DIRECT into broken AS paths.
  • Mixed fleets that chain cloud agents plus external API keys multiply the TLS surface; each hop needs consistent DNS semantics and deterministic rule ordering.

Articulating those layers avoids the trap of patching only the symptom you saw first—for example MCP logs—while Agent API SSE streams still ride a starving selector group.

Signals that scream split-routing starvation—not “agents got dumber overnight”

Separate infrastructure churn from Cursor-side rate limits:

  • Client-side watchdog aborts with sparse HTTP status payloads—classic symptom of stalled CONNECT tunnels.
  • Flows that flirt between your premium proxy outbound and DIRECT in the Connections table precisely when SDK jobs rerun.
  • Success fetching metadata from GitHub/npm while SaaS-aligned Cursor egress fails—hints at policy mismatch rather than outright offline internet.
  • Immediate relief flipping Global upward for ninety seconds—a reliable tell that starvation lives under GEOIP shortcuts.
  • TLS resets or QUIC fallbacks aligning with captive portals, not concurrency caps from the Cursor platform.

Once you categorize the outage class, instrumentation—not intuition—guides which prepend YAML block matters.

Mental model: three planes you cannot desynchronize

  1. The resolver plane: OS-level DNS, systemd-resolved, macOS mDNS stacks, Mihomo DNS listeners, fake-ip interplay. Skew manifests as half-open SYN storms or mystery NXDOMAIN chatter.
  2. The policy plane: Mihomo rule ordering, GEOIP starvation, FINAL fallbacks. Global mode only proves misclassification; rules encode the sustainable answer.
  3. The export plane: Environment variables, PAC files, system proxy toggles, TUN adapters. SDK automation usually demands explicit exports because there is no omniscient GUI parent.

Cloud agents fail when any plane drifts—for example fake-ip answers that disagree with the resolver your Node worker trusted, or HTTPS_PROXY defined in .zshrc but never sourced inside GitHub Actions.

Establish a trustworthy Clash Verge Rev baseline

Before blaming @cursor/sdk versions, lock the transport floor:

  • Refresh subscription nodes; stale clusters exaggerate AI-shaped tail latency.
  • Document mixed HTTP port, SOCKS port, and controller endpoints—teams lose hours debating “7890 versus 9090 folklore.”
  • Choose an outbound resilient to sustained TLS—not just sparkly ping leaderboard entries.
  • Enable verbose logging when isolating intermittent incidents only; mute afterward to curb disk IO.
  • Vendor Overrides as timestamped merges so recurring automation cannot silently truncate developer SaaS prepend blocks.

Healthy baselines shorten mean time to innocence for SDK owners who rightly fear shipping flaky automation.

Tip: Keep a Markdown runbook snippet titled “Cursor SDK egress” beside similar blocks for Claude and Codex teams already maintain—network on-call merges one YAML fragment rather than hallucinating bespoke DOMAIN-KEYWORD lines under pressure.

Rule split routing, diagnostic Global, system proxy, and TUN

Use a deliberate ladder instead of brute forcing VPN switches:

  • Rules-first: prepend DOMAIN-SUFFIX anchors for SaaS-aligned Cursor egress before starvation-prone DIRECT lists.
  • Global as flashlight: confirm starvation hypotheses briefly, screenshot Connections, revert.
  • Verge system proxy: align GUI-launched ancillary tools without kernel drivers.
  • TUN mode: capture SDK child processes spawned by tooling that despises manual proxies—or multiplexed QUIC stacks that circumvent CONNECT semantics.

Document which elevation finally stabilized your nightly agent fleet; future teammates inherit operational truth instead of campfire myths.

Hostnames worth verifying in Logs—not mythical static lists

Vendors rebalance CDN edges quarterly. Seed investigations with plausible anchors, yet let your Logs expand the roster:

  • Cursor-aligned apex and SaaS API namespaces surfaced while reproducing timeouts—watch Connections for fresh subdomains after client updates.
  • Authentication redirects that coincide with SSO or refreshed API tokens.
  • Telemetry or websocket companions that behave like benign noise until cloud agents saturate them concurrently.
  • Remote MCP relays or partner APIs your profile chains after tool registration.
  • Shared infrastructure hosts (package registries, Git hosts) interacting with bootstrap scripts preceding Agent API calls.

After each discovery, widen rules surgically; avoid KEYWORD matchers so greedy they hijack unrelated HTTPS flows.

Example prepend block (rename outbound realistically)

Assume your selector label is PROXY—replace with your factual group (🇯🇵 Auto, Premium, etc.). Keep these rows above starvation-prone shortcuts:

DOMAIN-SUFFIX,cursor.sh,PROXY
DOMAIN-KEYWORD,cursorapi,PROXY

Favor widening using captured MISS rows rather than blindly copying snippets from chat threads—the second line is illustrative; tighten it when your corp DNS hosts benign collisions.

Pin Overrides so subscription refresh merges cannot silently delete proven developer SaaS scaffolding.

HTTPS_PROXY and launch contexts automation engineers forget

Unattended runners magnify POSIX foot-guns:

  • Interactive shells: .zshrc exports help only when the SDK truly launches inside that sourced session.
  • direnv per repo: isolates Cursor automation from unrelated experiments without laptop-wide leakage.
  • launchd / systemd: embed explicit Environment= keys—never assume Dock-clicked binaries inherit terminals.
  • containers: bake proxy env at build-arg time or orchestration manifests; Docker defaults are desert-dry.
  • CI platforms: GitHub/GitLab equivalents need repository secrets mapped to uppercase/lowercase pairs consistently.
  • WSL bridging: aim at the Windows host IP when Verge listens there; tweak Windows Defender inbound allowances.

Mihomo-compatible tuples resemble:

export http_proxy=http://127.0.0.1:7890/
export https_proxy=http://127.0.0.1:7890/
export HTTP_PROXY=http://127.0.0.1:7890/
export HTTPS_PROXY=http://127.0.0.1:7890/

Add NO_PROXY for loopback MCP glue, RFC1918 networks you trust locally, corp artifactories, internal Helm charts hosts, plus link-local multicast if your scripts touch them:

export NO_PROXY=localhost,127.0.0.1,.internal.corp,.svc.cluster.local

HTTP CONNECT versus SOCKS multiplexing quirks

Some MCP client stacks prefer SOCKS multiplexing paths; aligning ALL_PROXY=socks5://127.0.0.1:YOUR_SOCKS_PORT occasionally rescues baffling partial successes where HTTP CONNECT alone looked fine superficially.

Mismatched port pairs remain the evergreen foot-gun—“curl succeeds with pasted flags yet SDK fails”—because pasted commands reference the correct listener while stale env remnants still aim at dormant ports.

When MCP behaves like SaaS—not like localhost glue

Local stdio MCP feels mundane until you factor remote MCP bridges: those sessions ride HTTPS like any other SaaS workload, compete for the same starvation-prone rules, inherit identical DNS quirks, and still demand explicit carve-outs inside NO_PROXY when loopback relays tunnel internally.

Where remote MCP terminates on partner infrastructure, widen DOMAIN-SUFFIX merges cautiously—treat unfamiliar edges as audited additions, not ephemeral hacks.

Tool chains that multiplex WebSockets benefit from watchers on Connections verifying policy names beside each hop; missing labels usually mean FINAL defaults still hijacked by DIRECT impulses.

Measured verification rituals before escalating tickets upstream

  1. Timed curl probes: curl -v --proxy http://127.0.0.1:7890 https://CURSOR_ALIGNED_HOST with tight --connect-timeout envelopes.
  2. DIRECT comparison: If DIRECT reproducibly hangs while CONNECT succeeds, starvation is undeniable.
  3. Logging policy names: Capture which rule buckets each failure window aligns with—not just success/failure booleans.
  4. Limited Global A/B: Validate hypotheses, screenshot, revert so compliance teams never assume Global became policy.
  5. Environmental printouts: Wrap Agent creation with sanitized env dumps in staging to confirm inherited proxies.

Evidence packets accelerate collaboration with whoever owns the Cursor tenancy because you differentiate transport incidents from entitlement problems quickly.

DNS, fake-ip, and long-lived cloud sessions

Fake-ip accelerates certain browsing patterns yet confuses Node workers when resolver ownership splinters:

  • Review fake-ip-filter additions when SaaS clients exhibit half-handshakes absent from browser repros.
  • Consider nameserver-policy pinning for delicate OAuth choreography.
  • Pair DNS Logs with Connections so you optimize one knob at a time.

Long cloud agent transcripts amplify intermittent DNS divergence that short HEAD checks might never notice—treat streaming stability as endurance testing.

Outbound quality still dominates tail latency narratives

Even immaculate YAML cannot rescue oversubscribed commodity nodes. Rotate providers, stagger concurrent SDK agents so burst TCP aligns with SLA expectations, validate subscription URLs themselves egress correctly (ironic deadlock when renewal endpoints fall under DIRECT starvation), and quantify sustained throughput instead of instantaneous ICMP fantasy metrics.

When multiple automation jobs share selectors, jitter start times briefly to avoid interpreting congestion spikes as mystical API regressions.

Failure matrix at a glance

What you observe Likely root cause Next corrective move
Global heals instantly GEOIP DIRECT starvation of Cursor SaaS Prepend anchored DOMAIN rows ahead of starvation lists
curl proxied succeeds; SDK hangs Launcher missing exporter tuple Snapshot env at spawn boundaries
MCP stalls only on HTTPS-backed tools Remote MCP routed differently than IDE Align rules + exporters for MCP host explicitly
TLS unknown CA loops Corporate MITM trust drift Harmonize trust anchors with sanctioned browsers
WSL breakage while native Windows fine Loopback bridging or firewall quirks Point at correct host listener and open Defender allowances

Team habits keeping SDK automation boringly reliable

Mature shops version-control tiny Mihomo override fragments, annotate incident threads with redacted Connections crops plus SDK log excerpts, automate smoke curls in onboarding—not as brittle integration tests dripping secrets—and schedule periodic audits because unattended agents stress networks harder than sporadic artisanal coding sessions.

They also delineate quotas from routing: lavish YAML cannot resurrect exhausted org limits on the SaaS vendor side.

Finally they document precedence between system proxy pushes and explicit env exporters so CI templates stay reproducible when junior contributors clone starter kits.

Risk posture: policy, entitlement, ethics

TUN everywhere may violate enterprise acceptable-use policies—even when tempting. Harmonize with information security stakeholders before scripting fleet-wide interception. Respect vendor terms regulating automated workloads; improving transport honesty never replaces entitlement to misuse AI capacity.

Redact Secrets aggressively inside logs shared across teams.

FAQ recap (readable)

Must I replicate marketplace proxy guidance? Desktop marketplace fixes share DNA with this article—yet SDK workers still need launcher-level exports and CI-specific wiring IDE posts rarely mention.

Does model branding change routing fundamentals? Search-friendly labels evolve faster than CONNECT semantics; stabilize transport before chasing release-note ghosts.

Persistent Global on build agents? Avoid—split discipline prevents silent compliance drift plus noisy incident reviews.

Why Clash-class observable routing beats opaque “VPN reconnect” hacks for SDK fleets

Opaque consumer VPN dashboards rarely reveal which outbound swallowed your Agent API long poll—or whether MCP handshakes detoured DIRECT into blackholed BGP. Trial-and-error reboot loops waste sprint points. By contrast Clash Verge Rev merges Mihomo’s expressive rule routing grammar with Connections transparency: you prepend a DOMAIN evidence row, rerun HTTPS_PROXY-aware smoke tests, observe the healed policy name, merge to Overrides, ship automation confidently.

Single-purpose SOCKS injectors seldom scale once cloud agents multiplex vendor APIs, ephemeral preview URLs, telemetry buses, remote MCP relays, plus internal git mirrors—all demanding surgical split semantics instead of clumsy blanket tunnels.

If brittle utilities force you into opaque reconnect gymnastics that never annotate routing tables while your Cursor SDK workloads random-walk across networks, consolidating on observable Clash-compatible stacks restores measurable stability without abandoning GEOIP-informed domestic/offshore divides many organizations still mandate.

Download polished Clash builds for your platforms →