CLI-Anything-Web Methodology (Phase 2)
Analyze captured traffic, design the CLI command structure, and implement the complete Python CLI package. This skill owns the core transformation from raw HTTP traffic to a production-ready CLI.
Copy this checklist and check off items as you complete them:
Phase 2 Progress:
- [ ] Prerequisites: raw-traffic.json exists (+ auth state if the site needs auth)
- [ ] Step A: traffic analyzed, protocol identified, <APP>.md written
- [ ] Step A: api-spec.json written (every endpoint cites raw-traffic.json evidence)
and passes `cli-web-devkit spec validate`
- [ ] Step B.0: scaffolded via scaffold-cli.py (.manifest.json present)
- [ ] Step B: client endpoint methods implemented from the spec
- [ ] Step B: command modules implemented + registered, REPL help in sync
- [ ] Smoke check passed (no protocol leaks), phase-state marked complete
Prerequisites (Hard Gate)
Do NOT start unless:
-
raw-traffic.jsonexists (with WRITE operations, or read-only GET-only traffic) - Auth state was captured during Phase 1 (if the site requires auth)
If raw-traffic.json is missing or has no WRITE operations, invoke the
capture skill first. If Phase 1 state shows failed, follow
skills/shared/RECOVERY.md §phase-state Check Failures before re-running.
Exception for read-only sites: If the site is genuinely read-only (search engine,
dashboard, analytics viewer with no create/update/delete), the trace may contain only
GET requests. In this case, note "read-only site — no write operations" in <APP>.md
and proceed. The generated CLI will have read-only commands (list, get, search) but
no create/update/delete commands. This is valid.
No-auth sites: If the target site requires no authentication (public API,
no login needed), the "Auth state captured" prerequisite does not apply. Note
"no-auth site" in <APP>.md and proceed.
Step A: Analyze (API Discovery)
Goal: Map raw traffic to a structured API model.
Process:
-
Read
traffic-analysis.jsonfirst (if it exists alongsideraw-traffic.json). This file is auto-generated byparse-trace.pyormitmproxy-capture.py→analyze-traffic.pyand contains pre-detected protocol type, auth pattern, endpoint grouping, GraphQL operations, batchexecute RPC IDs, and suggested CLI commands. Use it as a starting point — verify its findings and fill in anything marked "unknown" by readingraw-traffic.jsonmanually.Enhanced analysis (present only when captured via mitmproxy):
request_sequence(timeline-ordered requests with auth-flow detection),session_lifecycle(cookie inventory, auth-cookie identification, session pattern), andendpoint_sizes(response-size classification). If these are missing (has_timestamps: false), the capture came from the default trace path — rely on manual analysis for sequence/session detail.If
traffic-analysis.jsondoesn't exist, run the analyzer:python ${CLAUDE_PLUGIN_ROOT}/scripts/analyze-traffic.py \ <app>/traffic-capture/raw-traffic.json --summary -
Parse
raw-traffic.json(for details the analyzer couldn't extract) -
Group requests by base path (e.g.,
/api/v1/boards/,/api/v1/items/) -
For each endpoint group, identify:
- HTTP method (GET/POST/PUT/DELETE/PATCH)
- URL pattern (extract path parameters like
:id) - Query parameters and their types
- Request body schema (JSON fields, types, required/optional)
- Response body schema
- Authentication method (Bearer token, cookie, API key)
- Rate limiting signals (429 responses, retry-after headers)
-
Identify RPC protocol type -- classify the API transport:
Protocol Detection Signal Client Pattern REST Resource URLs ( /api/v1/boards/:id), standard HTTP methodsclient.pywith method-per-endpointGraphQL Single /graphqlendpoint,query/mutationin bodyclient.pywith query templatesgRPC-Web application/grpc-webcontent type, binary payloadsProto-based client Google batchexecute batchexecutein URL,f.req=body,)]}'\nprefixrpc/subpackage (seereferences/google-batchexecute.md)Custom RPC Single endpoint, method name in body, proprietary encoding Custom codec module Public REST API Documented /api/endpoints, OpenAPI spec, JSON responsesStandard client.pywith httpxPlain HTML (no framework) No SPA root, no framework globals, data in <table>/<div>client.pywith httpx + BeautifulSoup4This determines client architecture in Step B -- REST uses simple
client.py, non-REST protocols need a dedicatedrpc/subpackage with encoder/decoder/types. -
Detect data model:
- Entity types (boards, items, users, projects...)
- Relationships (board has many items, item belongs to board)
- ID formats (UUID, numeric, slug)
-
Detect auth pattern:
- Cookie-based sessions
- Bearer/JWT tokens
- OAuth refresh flow
- API key headers
- Browser-delegated auth: tokens embedded in page JavaScript (e.g.,
WIZ_global_data), not in HTTP headers. Requires CDP for initial cookies, HTTP for token extraction. Seereferences/auth-strategies.md"Browser-Delegated Auth" section. - No auth / public access: fully public API, no login required. CLI may optionally support API key auth for write operations (e.g., dev.to).
-
Write
<APP>.md-- software-specific SOP document -
Write
agent-harness/api-spec.json-- the machine-readable API spec. Every endpoint MUST carry anevidencefield citing its captured traffic entry (raw-traffic.json#<index>) — never invent endpoints (this is the structural enforcement of the RPC-ID verification rule). Schema and validator:cli-web-devkit spec validate <app>/agent-harness/api-spec.jsonDownstream consumers: client method implementation (Step B), the gap-analyzer (
cli-web-devkit gaps), and the traffic-fidelity review in Phase 4 (spec-vs-traffic becomes a deterministic diff).
Output: <APP>.md (human SOP) + api-spec.json (machine spec, validated).
References: traffic-patterns.md, google-batchexecute.md, ssr-patterns.md
Step B: Implement (Code Generation)
Study Existing CLIs First (Critical for Accuracy)
Before implementing, read an existing CLI that uses the same protocol as your target. These are battle-tested implementations that solved the same problems you'll face.
| Protocol | Reference CLI | Key files to read |
|---|---|---|
| Google batchexecute | notebooklm/agent-harness/cli_web/notebooklm/ | core/rpc/encoder.py, core/rpc/decoder.py, core/client.py, core/auth.py |
| GraphQL + WAF | booking/agent-harness/cli_web/booking/ | core/client.py (curl_cffi + GraphQL), core/auth.py (WAF tokens) |
| HTML scraping | futbin/agent-harness/cli_web/futbin/ | core/client.py (httpx + BS4), commands/players.py |
| Next.js RSC | producthunt/agent-harness/cli_web/producthunt/ | core/client.py (curl_cffi + __next_f flight parsing) |
| REST API | unsplash/agent-harness/cli_web/unsplash/ | core/client.py, commands/photos.py |
| Simple HTML | gh-trending/agent-harness/cli_web/gh_trending/ | Minimal structure example |
How to use reference CLIs:
- Read the reference CLI's
core/client.py— understand the request/response pattern - Read
core/auth.py— copy the login_browser() pattern exactly for Google apps - Read
core/rpc/(for batchexecute) — understand encoder/decoder, DO NOT reinvent - Read
commands/— see how Click commands are structured, how --json works - Read
utils/helpers.py— see handle_errors(), _resolve_cli(), repl patterns
For batchexecute apps specifically, the notebooklm CLI is your bible:
- Copy the enco