OR Key
drop another .md file to compare - side-by-side diff against api-sniffer

api-sniffer

Captures how a website talks to its data so you can pull the same info.
description: "Triggers on prompt mention of 'api-sniffer'."
personal 2 files 10 recent evals
Export

What it does for you

Captures how a website talks to its data so you can pull the same info.

What it produces

A recent result, so you can see the kind of work it returns.

loading…

How to get it

These run inside the Snappy workspace. Want this working in your business? I set skills like this up with you, in one focused week.

Work with me
For developers how this skill is built, graded, and how it runs

at a glance- the short version

actorExported functions in state/lib/api-sniffer.ts.
auditorNone wired yet - eval is manual (Robert review).
eval modeshape
categoryIntegrations
stages3
dependsbrowse

what's inside - the parts that make up a skill 3/4 present

A skill is just a few plain-text files. Only the main one is required. The rest are optional, added as the work needs them. This is what the skill is made of; how it runs is just below.

The skill
state/skills/api-sniffer/SKILL.md present
the skill itself, in plain text
The main file. It says what the skill is and lays out the steps in plain English.
Code
state/lib/api-sniffer.ts present
code the skill can run
Reusable code this skill can call when it needs to.
Scripts
state/bin/api-sniffer/ not present
helper scripts
Optional. Added when a skill has a few commands to run.
Loader
state/skills/api-sniffer/AGENTS.md present
what the AI loads on the fly
Loaded automatically the moment this skill is needed. Kept short on purpose.

how it's graded - what counts as a good run 4 criteria · 2 deterministic · 2 judge

Each row is one thing a good run has to get right. deterministic means a quick check decides, pass or fail. judge means the AI reads the result and rates it. Grading each piece on its own (instead of one overall score) shows exactly where a run fell short, so the fix is obvious.

name
kind
check
api_sniffer_output_exists
deterministic
A non-empty output file, e.g., 'sniffer.log', is present after execution.
api_sniffer_log_format
judge
The output log adheres to the expected format for captured XHR/fetch traffic.
captured_traffic_relevance
judge
The captured traffic directly relates to the actions implied by 'capture_input', 'loadSnifferRecipe_input', and 'replay_input'.
no_runtime_errors
deterministic
The skill execution completes without throwing unhandled exceptions or critical errors visible in stdout/stderr or logs.

how it runs - the shared frame every skill uses 5/5 present

Every skill runs the same way. One part does the work, a separate part checks it, and a short loader hands the AI exactly what it needs for the job. Anything this skill doesn't use shows a one-line note saying why, on purpose, not by accident.

makes the work The worker
present
Exported functions in state/lib/api-sniffer.ts. the worker
Does the actual work. Whatever it produces is what gets checked next.
checks the work The reviewer
present
None wired yet - eval is manual (Robert review). the checker
A separate checker grades the work, so the part that made it can't approve its own work.
frame
learns Self-correction
present
fixes itself learns from gaps
When a run hits a gap, the skill gets edited on the spot [FIXED] or queued for a bigger rewrite [LOGGED], so it keeps getting better.
tidies up Background fixes
present
queued for rewrite runs in the background
Bigger fixes that can't be made on the spot get queued and rewritten in the background later.
remembers Run history
present
state/log/pending-eval.ndjson pending runs
Every run is written down here, then reviewed by hand each week.
Critical rules the things this skill must not get wrong
  1. NEVER fan out parallel agent-browser writes on a single session — DOM mutations silently drop (memory: feedback_no_parallel_browser_writes). Serialize captures.
  2. ALWAYS save the captured recipe to disk before replaying — replays without persisted recipes leave no audit trail

what it has learned - fixes written back in over time sample

When a run hits something this skill didn't handle, the fix gets written back into the skill so it doesn't happen again. FIXED means it was corrected on the spot. LOGGED means it's queued for a bigger rewrite. Either way, the skill gets a little better and never makes the same mistake twice.

  1. Loading feedback rows…

how the work flows- who makes it, who checks it

inputs browse
actor Exported functions in state/lib/api-sniffer.ts.
1 generator
invoke
actor = Exported functions in state/lib/api-sniffer.ts.
import { capture, loadSnifferRecipe, replay } from "state/lib/api-sniffer.ts"
+ eval for this step
auditor None wired yet - eval is manual (Robert review).
2 auditor
inspect
auditor = None wired yet - eval is manual (Robert review).
npx tsx -e 'import("/Users/robertboulos/projects/snappy-os/state/lib/api-sniffer.ts").then(m => console.log(Object.keys(m)))'
+ eval for this step
3 data
eval log
`state/log/pending-eval.ndjson` (skill: "api-sniffer")
+ eval for this step

SKILL.md- the skill, written out in plain English

api-sniffer

Capture XHR/fetch traffic from a real browser session

Ported from kernel snappy-api-sniffer in Phase 0.5. See state/lib/api-sniffer.ts for the full API surface.

Steps

  • capture() - see state/lib/api-sniffer.ts
  • loadSnifferRecipe() - see state/lib/api-sniffer.ts
  • replay() - see state/lib/api-sniffer.ts

Eval

Actor: the exported functions in state/lib/api-sniffer.ts. Auditor: none wired yet - eval is manual (Robert review). File a state/log/pending-eval.ndjson row on each run.

Score convention:

OutcomeScore
Pass on first try1.0
Failed first, auto-fix applied, re-check passed0.5
Still failing or unrecoverable0.0

Gotchas

via the Phase 0.5 driver. Only these rewrites were applied: already in state/lib/)

  1. realpathSync(process.argv[1]) CLI guard wrapped in try/catch
  • See the kernel SKILL.md for the original long-form guidance if you need it

(read-only reference at the kernel path above).

Graduation

This skill is prose. Graduate by defining a deterministic auditor and flipping eval: auto.

Rubric

criteria:
  - name: api_sniffer_output_exists
    kind: deterministic
    check: "A non-empty output file, e.g., 'sniffer.log', is present after execution."
  - name: api_sniffer_log_format
    kind: judge
    check: "The output log adheres to the expected format for captured XHR/fetch traffic."
  - name: captured_traffic_relevance
    kind: judge
    check: "The captured traffic directly relates to the actions implied by 'capture_input', 'loadSnifferRecipe_input', and 'replay_input'."
  - name: no_runtime_errors
    kind: deterministic
    check: "The skill execution completes without throwing unhandled exceptions or critical errors visible in stdout/stderr or logs."

AGENTS.md- what the AI loads when this skill comes up

api-sniffer - loader

Per-turn rules for the api-sniffer skill. Full reference: state/skills/api-sniffer/SKILL.md. Do not skip these.

Critical Rules

_(no failures recorded yet - Phase 0.5 mechanical port from kernel snappy-api-sniffer. Read state/skills/api-sniffer/SKILL.md and state/lib/api-sniffer.ts before invoking.)_

  • NEVER fan out parallel agent-browser writes on a single session - DOM mutations silently drop (memory: feedback_no_parallel_browser_writes). Serialize captures.
  • ALWAYS save the captured recipe to disk before replaying - replays without persisted recipes leave no audit trail

Commands

| ui dashboard | state/skills/api-sniffer/resources/ui.openui | |invoke: import { capture, loadSnifferRecipe, replay } from "state/lib/api-sniffer.ts" |verify: npx tsx -e 'import("/Users/robertboulos/projects/snappy-os/state/lib/api-sniffer.ts").then(m => console.log(Object.keys(m)))' |eval log: state/log/pending-eval.ndjson (skill: "api-sniffer")

OpenUI Resource

  • Skill-owned OpenUI Lang resource: state/skills/api-sniffer/resources/ui.openui. Read it before rendering or editing this skill's generated component surface.
  • Treat this resource as a first-class artifact of the skill, not a generic chat response. Improve it when the skill's user-facing output needs to become richer.
  • System resources compose OpenUI primitives and inherit SnappyChat tokens. Use ui_contract: branded in SKILL.md only for deliberate platform or client visuals.

Known Pitfalls

  • Browser-session-bound - needs an authenticated session in agent-browser before capture works
  • Phase 0.5 port - no rewrite beyond settings path + sibling rewires + CLI guard

Self-Test

An agent reading this should correctly:

  1. [ ] Refuse to fan out parallel browser-write agents on one session
  2. [ ] Persist the recipe before replay
  3. [ ] Use state/lib/api-sniffer.ts, not a hand-rolled DevTools script

Self-report

If this loader fell short, append a line:

echo "[$(date -u +%FT%TZ)] api-sniffer: <what was missing>" >> state/log/loader-feedback.log

<!-- kernel-ok: historical attribution for the PID-loader pattern. -->

Self-correcting loader (PID feedback)

This is the rule that makes loaders learn. Ported from snappy-kernel, where it demonstrably worked: the snappy-dom-cartographer skill mapped Skool admin UI once, every later ship-agent inherited the full map for free.

Before you finish, do two things:

1. Fix gaps (P - proportional). MANDATORY. If this loader didn't cover your case - if you had to read another file, run an undocumented command, work around a wrong selector, or discover a quirk - you MUST attempt an Edit to this AGENTS.md before you log.

  • Default action: edit this file. Surgical. Add the missing line, table

row, or code example where it belongs. No restructuring.

  • Only LOGGED is allowed when: the fix needs >10 lines, spans multiple

files, or requires a structural rewrite. In that case the state/regen/drain.sh queue picks it up asynchronously.

  • "I didn't have time" / "it's minor" / "the next agent will figure it out"

are NOT valid reasons. Minor gaps compound - that's the whole point of this loop.

  • Concrete example of a valid P-fix: discover agent-browser screenshot

takes path positionally not as --output <path>. One line in a table. Edit it in. Do not just log it.

  • The goal: the next agent never has to leave the loader.

2. Log the result.

echo "[$(date -u +%FT%TZ)] api-sniffer: <what was missing or fixed> [FIXED|LOGGED]" >> state/log/loader-feedback.log
  • FIXED = you patched this loader inline (P-fix).
  • LOGGED = too large for inline; the PostToolUse enqueue + Stop-hook drain

will rewrite the loader from scratch on next session-end.

Do not skip this. Every agent run must leave the system better than it found it. The loader is the setpoint; you are the sensor; the gap is the error signal; closing the gap is the correction.

api.ts- the code it can call

#!/usr/bin/env npx tsx
/**
 * snappy-api-sniffer/api.ts -- Capture XHR/fetch traffic from a real browser session
 * and emit replayable "recipes" that consumer skills can call with plain fetch().
 *
 * Why this exists: many surfaces (Skool, LinkedIn feeds, etc.) gate their internal
 * APIs behind JS challenges or Next.js middleware that reject cookie-curl. Running
 * them through a real Playwright session via snappy-browse captures the real calls;
 * this skill turns those calls into replay recipes.
 *
 * Composition (DRY):
 *   snappy-browse ------ Playwright transport (navigate, eval, network requests)
 *     └─ snappy-api-sniffer ------ capture → filter → emit recipe → replay
 *
 * Usage:
 *   npx tsx api.ts capture https://www.skool.com/snappy "api2.skool.com" skool-feed
 *     → navigates, waits, filters requests by URL substring, writes recipe json
 *
 *   npx tsx api.ts replay skool-feed
 *     → reads recipe, re-executes via fetch() with stored cookies
 */

import { existsSync, mkdirSync, readFileSync, realpathSync, writeFileSync } from "fs";
import { join, dirname } from "path";
import { env } from "./env.ts";
import {
  navigate,
  clearRequests,
  captureRequests,
  close,
  type CapturedRequest,
} from "./browse.ts";

const RECIPE_DIR = join(process.env.HOME!, ".claude/skills/snappy-api-sniffer/recipes");

export interface ApiRecipe {
  name: string;
  captured_at: string;
  source_url: string;
  filter: string;
  requests: CapturedRequest[];
  cookies_hint?: string; // path to auth state file used at capture time
}

/** Normalize a captured request into a shape consumer skills can replay. */
function toRecipeEntry(r: CapturedRequest) {
  return {
    url: r.url,
    method: r.method,
    resource_type: r.resource_type,
    status: r.status,
    // Strip cookies from headers (cookies come from the state file at replay time)
    request_headers: Object.fromEntries(
      Object.entries(r.request_headers || {}).filter(([k]) => k.toLowerCase() !== "cookie")
    ),
    post_data: r.post_data,
  };
}

/**
 * Capture all XHR/fetch traffic on a page and write a recipe file.
 * sourceUrl: where to navigate. filter: substring/pattern to keep.
 * statePath: optional Playwright storage_state.json to load cookies from.
 */
export async function capture(
  name: string,
  sourceUrl: string,
  filter: string,
  opts: { statePath?: string; waitMs?: number } = {}
): Promise<ApiRecipe> {
  const waitMs = opts.waitMs ?? 4000;
  // Force fresh daemon if a state file was supplied — otherwise --state is ignored.
  if (opts.statePath) {
    try { close(); } catch {}
  }
  navigate(sourceUrl, opts.statePath);
  clearRequests();
  // Trigger a soft reload so the settled page re-fires its XHRs and they land in the capture buffer.
  try { navigate(sourceUrl, opts.statePath); } catch {}
  await new Promise((r) => setTimeout(r, waitMs));

  const all = captureRequests(filter);
  const xhrOnly = all.filter(
    (r) => r.resource_type === "xhr" || r.resource_type === "fetch"
  );

  const recipe: ApiRecipe = {
    name,
    captured_at: new Date().toISOString(),
    source_url: sourceUrl,
    filter,
    requests: xhrOnly.map(toRecipeEntry) as CapturedRequest[],
    cookies_hint: opts.statePath,
  };

  mkdirSync(RECIPE_DIR, { recursive: true });
  const path = join(RECIPE_DIR, `${name}.json`);
  writeFileSync(path, JSON.stringify(recipe, null, 2));
  return recipe;
}

/** Load a previously-captured recipe. */
export function loadSnifferRecipe(name: string): ApiRecipe {
  const path = join(RECIPE_DIR, `${name}.json`);
  if (!existsSync(path)) throw new Error(`Recipe not found: ${path}`);
  return JSON.parse(readFileSync(path, "utf-8"));
}

/**
 * Replay a single request from a recipe via plain fetch().
 * Loads cookies from the recipe's statePath (Playwright storage_state format).
 */
export async function replay(
  recipeName: string,
  index = 0,
  overrides: { urlRewrite?: (u: string) => string } = {}
): Promise<{ status: number; body: string }> {
  const recipe = loadSnifferRecipe(recipeName);
  const entry = recipe.requests[index];
  if (!entry) throw new Error(`Recipe ${recipeName} has no request #${index}`);

  let cookie = "";
  if (recipe.cookies_hint && existsSync(recipe.cookies_hint)) {
    const state = JSON.parse(readFileSync(recipe.cookies_hint, "utf-8"));
    cookie = (state.cookies || [])
      .map((c: { name: string; value: string }) => `${c.name}=${c.value}`)
      .join("; ");
  }

  const url = overrides.urlRewrite ? overrides.urlRewrite(entry.url) : entry.url;
  const headers: Record<string, string> = {
    ...(entry.request_headers || {}),
    ...(cookie ? { Cookie: cookie } : {}),
  };
  // Drop headers that fetch refuses to set
  for (const h of ["host", "content-length", "connection"]) delete headers[h];

  const res = await fetch(url, {
    method: entry.method,
    headers,
    body: entry.post_data,
  });
  const body = await res.text();
  return { status: res.status, body };
}

// --- CLI ---

if ((() => { try { return import.meta.url === `file://${realpathSync(process.argv[1])}`; } catch { return false; } })()) {
  (async () => {
    const [, , cmd, ...args] = process.argv;
    switch (cmd) {
      case "capture": {
        const [sourceUrl, filter, name, statePath] = args;
        if (!sourceUrl || !filter || !name) {
          console.error("Usage: api.ts capture <url> <filter> <name> [statePath]");
          process.exit(1);
        }
        const recipe = await capture(name, sourceUrl, filter, { statePath });
        console.log(`captured ${recipe.requests.length} requests → ${name}.json`);
        for (const r of recipe.requests) {
          console.log(`  ${r.method} ${r.url}`);
        }
        try { close(); } catch {}
        break;
      }
      case "replay": {
        const [name, idxStr] = args;
        if (!name) { console.error("Usage: api.ts replay <name> [index]"); process.exit(1); }
        const out = await replay(name, Number(idxStr || 0));
        console.log(`status=${out.status}`);
        console.log(out.body.slice(0, 2000));
        break;
      }
      case "list": {
        const recipe = loadSnifferRecipe(args[0]);
        for (let i = 0; i < recipe.requests.length; i++) {
          console.log(`${i}: ${recipe.requests[i].method} ${recipe.requests[i].url}`);
        }
        break;
      }
      default:
        console.log("Usage: npx tsx api.ts [capture|replay|list] ...");
    }
  })();
}

scripts- helper scripts it can run

prose-only skill - 1 inline code block live in SKILL.md above (no state/bin/ sidecar yet).

how we check it- the checks, plus the last 10 runs

rubric shape schema-shape check (no inline rubric)
recent mean 1.00 · 10 runs actor/auditor: unverifiable
deps browse
timestamp verb score primary_issue artifact
2026-04-25 04:11Z - 1.00 - -
2026-04-21 15:58Z - 1.00 - -
2026-04-21 15:56Z - 1.00 - -
2026-04-21 03:53Z - 1.00 - -
2026-04-25 04:11Z - 1.00 - -
2026-04-21 15:58Z - 1.00 - -
2026-04-21 15:56Z - 1.00 - -
2026-04-21 03:53Z - 1.00 - -
2026-04-25 04:11Z - 1.00 - -
2026-04-21 15:58Z - 1.00 - -