Traffic Capture (Phase 1)
Assess the site, then capture comprehensive HTTP traffic. This skill combines site assessment with full traffic recording in a single browser session.
Copy this checklist and check off items as you complete them:
Phase 1 Progress:
- [ ] Prerequisites: playwright-cli available, checkpoint restored if one exists
- [ ] Step 1: Browser open on target URL
- [ ] Step 2: Fingerprint run + auth handled + profile classified + assessment.md written
- [ ] Step 3: Full capture — exploration targets met for the profile
- [ ] Step 4: Trace parsed, validate-capture.py PASSED (the gate)
- [ ] Step 5: Browser closed, checkpoint + phase-state marked complete
CRITICAL EXECUTION RULES
NEVER use
run_in_background: truefor ANY playwright-cli command. All playwright-cli commands must run in the foreground with appropriate timeouts. Background execution causes task ID tracking failures — the command completes before you can read the output. Seereferences/playwright-cli-commands.mdfor the timeout table.
NEVER use
evalfor complex expressions.evalfails silently on ternaries, comma operators, and multi-branch logic with "not well-serializable" errors. Userun-codeinstead. Seereferences/framework-detection.mdfor details.
ESM context — no
require().run-codeuses ESM. Useawait import('fs')instead ofrequire('fs'). Seereferences/playwright-cli-commands.md.
Prerequisites (Hard Gate)
Do NOT start unless:
- playwright-cli is available (
npx @playwright/cli@latest --version) - Target URL is known
Default capture method: playwright-cli tracing (standard workflow below).
Optional --mitmproxy mode
When the --mitmproxy flag was passed to /cli-anything-web (or the capture
needs untruncated bodies / enhanced metadata), follow this workflow with the
step substitutions in references/mitmproxy-mode.md — Steps 1, 3, and 4
differ; everything else is identical. When playwright-cli itself is
unavailable (e.g., no Node), fall back to chrome-devtools-mcp via
launch-chrome-debug.sh — see HARNESS.md Tool Hierarchy.
Public API Shortcut
If the target site has a documented public REST/JSON API (e.g., Hacker News Firebase API, Dev.to API, Reddit API, Wikipedia API), browser capture is optional:
- Probe the API endpoints directly with
httpxorcurl - Save responses as
<app>/traffic-capture/raw-traffic.json - Skip to Phase 2 (methodology)
This applies when:
- API docs exist (OpenAPI/Swagger, developer docs page,
/api/prefix) - The API is publicly accessible without browser-specific auth
- Endpoints return JSON (not HTML)
If unsure whether a public API exists, proceed with browser capture as normal.
Resume from Checkpoint
Before starting, check if a previous capture session exists:
python ${CLAUDE_PLUGIN_ROOT}/scripts/capture-checkpoint.py restore <app>
If a checkpoint exists, read the guidance field and resume from the last
completed step instead of starting over. This prevents duplicate work when
sessions are interrupted.
Step 1: Setup
# Create output directory
mkdir -p <app>/traffic-capture
# Clear any stale sessions
npx @playwright/cli@latest kill-all 2>/dev/null || true
npx @playwright/cli@latest -s=<app> open <url> --headed --persistent
# Note: heavy SPAs (Next.js, React) may show "TimeoutError: page._snapshotForAI" on open.
# This is non-fatal — verify with: npx @playwright/cli@latest list
#
# IMPORTANT — "Browser opened with pid..." in command output means the daemon
# RE-ATTACHED to the existing browser, NOT that a new session was created.
# Do NOT re-navigate or restart when you see this. The session is still open.
--mitmproxymode: use the Step 1 substitution inreferences/mitmproxy-mode.md(start the proxy, then open through it).
Do NOT ask the user to log in yet — Step 2 will determine if auth is needed.
Step 2: Site Fingerprint (Single Command)
Run the all-in-one site fingerprint command instead of individual eval calls. This is faster, more reliable, and detects framework + protection + iframes + auth requirements in one shot.
Use the script file — multi-line JS with arrow functions and optional chaining fails in playwright-cli's single-line command parser. The script file approach has been tested and works reliably:
npx @playwright/cli@latest -s=<app> run-code "$(grep -v '^\s*//' ${CLAUDE_PLUGIN_ROOT}/scripts/site-fingerprint.js | tr '\n' ' ')"
IMPORTANT: The
site-fingerprint.jsscript must be loaded via the command above. Do NOT copy-paste the JS inline — it will fail with SyntaxError. Thegrep -vstrips comments andtrjoins lines for single-line execution.
Interpret fingerprint results
The fingerprint returns four groups: framework, protection, auth, iframes.
Map each true flag to the next action:
| Group | Action |
|---|---|
| framework | See references/framework-detection.md for the full protocol table (googleBatch / nextPages / nextApp / nuxt / spaRoot). |
| protection | See references/protection-detection.md — always start at the escalation ladder at the top (plain httpx → curl_cffi → curl_cffi + cookies → camoufox → hybrid). |
| auth | Table below (Auth detection section). |
| iframes | If iframeCount > 0, see references/playwright-cli-advanced.md for the in-iframe re-run snippet. |
Claude-facing shortcuts:
googleBatch: true→ generaterpc/subpackage (batchexecute protocol).cloudflareManagedChallenge: true→ tier 4 (camoufox) is required;curl_cffialone will fail.awsWaf: true→ captureaws-waf-tokencookie; usecurl_cffifor GraphQL, cookie-only for SSR.akamai: trueordatadome: true→ 1–2 s delays between requests are mandatory.serviceWorker: true→ note in assessment.md; generated CLI usesservice_workers="block".iframeCount > 0→ re-run the fingerprint inside the iframe. Google Labs apps (Stitch / MusicFX / ImageFX) follow this pattern — parent hasWIZ_global_data, iframe has the real app.
Note: snapshot and click <ref> auto-resolve iframes. Only drop down to
run-code for iframe interaction when built-in commands fail.
Auth detection (BEFORE exploration)
Check the fingerprint auth fields:
| Condition | Meaning | Action |
|---|---|---|
hasLoginButton && !hasUserMenu | Login required, not logged in | Ask user to log in NOW |
hasUserMenu | Already logged in | Proceed to capture |
!hasLoginButton && !hasUserMenu | No auth needed (public site) | Skip auth, proceed |
If auth is needed:
- Tell the user: "This site requires login. Please log in in the browser window."
- Wait for user confirmation
- Save auth state and tighten permissions (CLAUDE.md mandates
chmod 600):
npx @playwright/cli@latest -s=<app> state-save <app>/traffic-capture/<app>-auth.json
chmod 600 <app>/traffic-capture/<app>-auth.json
If NO auth is needed: Skip directly to Step 2b.
2b. Classify Site Profile
Based on fingerprint results AND what you see in the UI, classify the site:
| Profile | Auth? | Operations | Exploration Focus |
|---|---|---|---|
| Auth + CRUD | Yes | Create, Read, Update, Delete | Full CRUD per resource |
| Auth + Generation | Yes | Generate, Poll, Download | Generation lifecycle + projects |
| Auth + Read-only | Yes | Read, Search, Export | Read operations + auth flow |
| No-auth + CRUD | No/Optional | Full CRUD | Skip auth, full CRUD |
| No-auth + Read-only | No | Read, Search | Minimal capture |
2c. Quick API Probe (Force SPA Navigation Trick)
Start a SHORT trace, click 3-4 internal links, stop. This reveals hidden API endpoints that SSR hides on initial page load.
npx @playwright/cli@latest -s=<app> tracing-start
npx @playwright/cli@latest -s=<app> click <int