auto-reverse/LEARNINGS.md

LEARNINGS.md — auto-reverse

Session: 2026-05-31 — URA GLS API Reverse Engineering

Environment & Config

• Server IP 185.5.132.28 is NOT in Singapore — gets 403 from SG gov sites
• OPENROUTER_API_KEY is in .env, loaded by flake.nix shellHook
• Default model changed to openrouter/xiaomi/mimo-v2.5-pro
• anthropic SDK replaced with litellm for multi-provider support

Codebase Conventions

• archive.log is summary only; archive.jsonl has full request/response detail
• CapturedFlow model stores everything: req_headers, resp_headers, req_body, resp_body, query
• Tool schemas use Anthropic format (name, description, input_schema) — adapter converts to OpenAI format for litellm
• Tests assert default model string — update when changing model

Business Context

• URA GLS (Government Land Sales) site at eservice.ura.gov.sg/maps/?service=GLSRELEASE&site=1
• Uses ArcGIS REST services on maps.ura.gov.sg
• Auth via OneMap JSONP tokens (getOnemapToken, getOnemapLandLotToken)
• 60+ fields per GLS parcel including location, dates, prices, development codes
• Geo-blocked to Singapore IPs via Azure Application Gateway WAF

Key Findings — API Architecture

• ArcGIS endpoints (maps.ura.gov.sg/ArcGis/rest/services/lsag/...): No auth needed, just standard ArcGIS query params
• OneMap APIs (www.onemap.gov.sg/api/...): Need Authorization: <jwt> header from JSONP token endpoint
• eService APIs (eservice.ura.gov.sg/ecasService/...): Session-based, need cookies from browser
• LandLot API (www.onemap.gov.sg/api/public/landlotAPI/...): Needs AWS Signature auth (different from Bearer)

Tool Usage Patterns

• The MITM proxy is the core value — captures all traffic automatically
• JS source files contain the real API documentation (auth flows, endpoints, fields)
• The LLM agent adds cost but wasn't essential for this workflow
• archive.jsonl format is critical for replay — without it, captured data is useless
• Browser must be on an authorized IP for geo-blocked sites