tomatocream/auto-reverse
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
feat/auto-reverse-impl
auto-reverse/LEARNINGS.md
T

36 lines
2.0 KiB
Markdown
Raw Permalink Blame History

# LEARNINGS.md — auto-reverse
## Session: 2026-05-31 — URA GLS API Reverse Engineering
### Environment & Config
- Server IP `185.5.132.28` is NOT in Singapore — gets 403 from SG gov sites
- `OPENROUTER_API_KEY` is in `.env`, loaded by flake.nix shellHook
- Default model changed to `openrouter/xiaomi/mimo-v2.5-pro`
- `anthropic` SDK replaced with `litellm` for multi-provider support
### Codebase Conventions
- `archive.log` is summary only; `archive.jsonl` has full request/response detail
- `CapturedFlow` model stores everything: `req_headers`, `resp_headers`, `req_body`, `resp_body`, `query`
- Tool schemas use Anthropic format (`name`, `description`, `input_schema`) — adapter converts to OpenAI format for litellm
- Tests assert default model string — update when changing model
### Business Context
- URA GLS (Government Land Sales) site at `eservice.ura.gov.sg/maps/?service=GLSRELEASE&site=1`
- Uses ArcGIS REST services on `maps.ura.gov.sg`
- Auth via OneMap JSONP tokens (`getOnemapToken`, `getOnemapLandLotToken`)
- 60+ fields per GLS parcel including location, dates, prices, development codes
- Geo-blocked to Singapore IPs via Azure Application Gateway WAF
### Key Findings — API Architecture
- **ArcGIS endpoints** (`maps.ura.gov.sg/ArcGis/rest/services/lsag/...`): No auth needed, just standard ArcGIS query params
- **OneMap APIs** (`www.onemap.gov.sg/api/...`): Need `Authorization: <jwt>` header from JSONP token endpoint
- **eService APIs** (`eservice.ura.gov.sg/ecasService/...`): Session-based, need cookies from browser
- **LandLot API** (`www.onemap.gov.sg/api/public/landlotAPI/...`): Needs AWS Signature auth (different from Bearer)
### Tool Usage Patterns
- The MITM proxy is the core value — captures all traffic automatically
- JS source files contain the real API documentation (auth flows, endpoints, fields)
- The LLM agent adds cost but wasn't essential for this workflow
- `archive.jsonl` format is critical for replay — without it, captured data is useless
- Browser must be on an authorized IP for geo-blocked sites
Reference in New Issue View Git Blame Copy Permalink