中文 | English
A tool for intercepting and analyzing Cursor IDE's gRPC traffic. Decrypts TLS, deserializes protobuf, and displays AI conversations in real-time.
Cursor talks to its backend entirely via gRPC (Connect Protocol). The body is binary protobuf. Burp and Fiddler just show unreadable bytes. Cursor doesn't publish proto definitions either.
This tool decrypts traffic into readable JSON and shows each streaming frame in real-time.
- MITM Proxy - Sits between Cursor and api2.cursor.sh, decrypts TLS with self-signed CA
- Proto Extraction - Extracts proto definitions from Cursor's JS bundle (
protobuf-escompiled output) - Real-time Parsing - Parses Connect Protocol envelope framing, deserializes each protobuf frame
- WebUI - Pushes frames via WebSocket, four-panel layout for service tree / calls / frames / details
go run ./cmd/proxyListens on localhost:8080 (HTTP proxy) and localhost:9090 (WebUI + WebSocket).
# Windows
set HTTP_PROXY=http://localhost:8080
set HTTPS_PROXY=http://localhost:8080
set NODE_EXTRA_CA_CERTS=C:\path\to\ca.crt
# macOS/Linux
export HTTP_PROXY=http://localhost:8080
export HTTPS_PROXY=http://localhost:8080
export NODE_EXTRA_CA_CERTS=/path/to/ca.crtCA certificate is auto-generated at ~/.cursor-tap/ca.crt on first run.
cd web
npm install
npm run devOpen http://localhost:3000.
├── cmd/proxy/ # Proxy entry point
├── internal/
│ ├── ca/ # CA certificate management
│ ├── proxy/ # HTTP CONNECT proxy
│ └── httpstream/ # gRPC parsing core
├── cursor_proto/ # Extracted proto definitions
└── web/ # Next.js frontend
AiService/RunSSE- AI conversation channel (thinking, text, tool calls)BidiService/BidiAppend- User messages and tool resultsAiService/StreamCpp- Code completionCppService/RecordCppFate- Completion accept/reject feedbackAiService/Batch- User behavior telemetry- And dozens more...
For educational and research purposes only.
Detailed reverse engineering notes: cursor-true-reverse-notes-1.md (Chinese)