fix(box): make CRI reachable over UDS — patch h2 to accept grpc-go authority

[ZhiXiao-Lin]

P0-#0: a3s-box-cri was unreachable by every standard gRPC client

While bringing up the critest scoreboard (CRI-maturity roadmap #2) on a /dev/kvm host, crictl could not even connect — every call failed at CRI-API validation:

rpc error: code = Internal desc = stream terminated by RST_STREAM with error code: PROTOCOL_ERROR

Root cause

grpc-go >= 1.57 (used by crictl, the kubelet, and critest) sends the percent-encoded UDS socket path as the HTTP/2 :authority pseudo-header (e.g. %2Frun%2Fa3s-box.sock). The server's h2 layer rejects it:

h2::server: malformed headers: malformed authority (b"%2F…%2F….sock"): invalid authority
→ send Reset { stream_id: 1, error_code: PROTOCOL_ERROR }

So the request is killed before any CRI RPC runs. The crictl_smoke integration test is #[ignore], which is why this was never caught.

Why not a version bump

• h2 #487 (relax UDS authority) was never merged into any release.
• grpc/grpc #38142 was closed "not planned" — the client behaviour is permanent, and crictl/kubelet expose no authority override.

tonic/prost are used only in the cri crate (the runtime gRPC uses raw UnixStream framing), so the fix is contained to a workspace patch.

Fix

Vendor h2 0.3.27 into third_party/h2 with a surgical relaxation in src/server.rs: when :authority fails to parse and looks like a UDS path (empty, leading /, contains %2F, or ends in .sock), drop it instead of resetting the stream — gRPC routes by :path, so the authority is unused server-side. Wired via [patch.crates-io].

Verification (real /dev/kvm host)

Step	Before	After
crictl version	❌ PROTOCOL_ERROR	✅ a3s-box v2.0.4, ApiVersion v1
images / runp / create / start / ps	❌	✅ pod Ready, container Running
stop / rm / stopp / rmp	❌	✅ all succeed
exec / logs / stats	❌	⚠️ unwired (tracked separately)

Release build + clippy -p a3s-box-cri -D warnings clean with the patch in place.

Refs: hyperium/h2#487, grpc/grpc#38142