Skillget

claude-tap

skill
Security Audit
Pass
Health Pass
  • License — License: MIT
  • Description — Repository has a description
  • Active repo — Last push 0 days ago
  • Community trust — 135 GitHub stars
Code Pass
  • Code scan — Scanned 12 files during light audit, no dangerous patterns found
Permissions Pass
  • Permissions — No dangerous permissions requested
Purpose
This tool acts as a local reverse proxy that intercepts and inspects API traffic from AI coding assistants like Claude Code and Codex CLI. It allows developers to see exactly how these assistants construct system prompts, manage conversation history, and use tokens via a browser-based trace viewer.

Security Assessment
Risk Rating: Medium

Because this tool functions as a "man-in-the-middle" reverse proxy, it inherently accesses highly sensitive data. It intercepts and processes your API keys, authentication tokens, proprietary system prompts, and private code payloads as they travel between your CLI and the AI provider's servers. The tool operates entirely locally, and a light code scan found no dangerous hidden patterns, hardcoded secrets, or malicious outbound network requests. However, the very nature of the software means it handles your deepest authentication credentials. Additionally, its README heavily demonstrates pairing the tool with flags like `--dangerously-skip-permissions`, which, if used carelessly, can expose your local environment to unvetted automated code execution.

Quality Assessment
The project is in excellent health and is highly actively maintained, with its last code push occurring today. It is properly licensed under the standard, permissive MIT license. Furthermore, it has earned a solid baseline of community trust, currently sitting at 135 GitHub stars, indicating that multiple independent developers have found it useful and reviewed its functionality.

Verdict
Use with caution: the code itself appears safe and well-maintained, but because the tool's core function requires handling your API secrets and private code, you should inspect its source carefully before routing sensitive projects through it.
SUMMARY

Tap into Claude Code API requests via a local reverse proxy. Inspect system prompts, messages, tools, and token usage.

README.md

claude-tap

PyPI version
PyPI downloads
Python version
License

中文文档

Intercept and inspect all API traffic from Claude Code or Codex CLI. See exactly how they construct system prompts, manage conversation history, select tools, and use tokens — in a beautiful trace viewer.

Demo

Light Mode

Dark Mode / Diff View

Dark Mode
Structural Diff
Character-level Diff

Install

Requires Python 3.11+ and Claude Code (or Codex CLI for --tap-client codex).

# Recommended
uv tool install claude-tap

# Or with pip
pip install claude-tap

Upgrade: uv tool upgrade claude-tap or pip install --upgrade claude-tap

Usage

Claude Code

# Basic — launch Claude Code with tracing
claude-tap

# Live mode — watch API calls in real-time in browser
claude-tap --tap-live

# Pass any flags through to Claude Code
claude-tap -- --model claude-opus-4-6
claude-tap -c    # continue last conversation

# Skip all permission prompts (auto-accept tool calls)
claude-tap -- --dangerously-skip-permissions

# Full-power combo: live viewer + skip permissions + specific model
claude-tap --tap-live -- --dangerously-skip-permissions --model claude-sonnet-4-6

Codex CLI

Codex CLI supports two authentication modes with different upstream targets:

Auth Mode How to authenticate Upstream target Notes
OAuth (ChatGPT subscription) codex login https://chatgpt.com/backend-api/codex Default for ChatGPT Plus/Pro/Team users
API Key Set OPENAI_API_KEY https://api.openai.com (default) Pay-per-use via OpenAI Platform 
# OAuth users (ChatGPT Plus/Pro/Team) — must specify target
claude-tap --tap-client codex --tap-target https://chatgpt.com/backend-api/codex

# API Key users — default target works out of the box
claude-tap --tap-client codex

# With specific model
claude-tap --tap-client codex -- --model codex-mini-latest

# Full auto-approval (skip all permission prompts)
claude-tap --tap-client codex -- --full-auto

# OAuth + full auto + live viewer
claude-tap --tap-client codex --tap-target https://chatgpt.com/backend-api/codex --tap-live -- --full-auto

Browser Preview

# Disable auto-open of HTML viewer after exit (on by default)
claude-tap --tap-no-open

# Live mode — real-time viewer opens in browser while client runs
claude-tap --tap-live
claude-tap --tap-live --tap-live-port 3000    # fixed port for live viewer

When the client exits, you can also manually open the generated viewer:

open .traces/trace_*.html

You can also regenerate a self-contained HTML viewer from an existing JSONL trace:

claude-tap export .traces/trace_20260228_141557.jsonl -o trace.html
# or:
claude-tap export .traces/trace_20260228_141557.jsonl --format html

Proxy-Only Mode

Start the proxy without launching a client — useful for custom setups or connecting from a separate terminal:

# Claude Code
claude-tap --tap-no-launch --tap-port 8080
# In another terminal:
ANTHROPIC_BASE_URL=http://127.0.0.1:8080 claude

# Codex CLI (OAuth)
claude-tap --tap-client codex --tap-target https://chatgpt.com/backend-api/codex --tap-no-launch --tap-port 8080
# In another terminal:
OPENAI_BASE_URL=http://127.0.0.1:8080/v1 codex

# Codex CLI (API Key)
claude-tap --tap-client codex --tap-no-launch --tap-port 8080
# In another terminal:
OPENAI_BASE_URL=http://127.0.0.1:8080/v1 codex

Common Combos

# Trace Claude Code with live viewer and auto-accept
claude-tap --tap-live -- --dangerously-skip-permissions

# Trace Codex (OAuth) with live viewer and full auto
claude-tap --tap-client codex --tap-target https://chatgpt.com/backend-api/codex --tap-live -- --full-auto

# Save traces to a custom directory
claude-tap --tap-output-dir ./my-traces

# Keep only the last 10 trace sessions
claude-tap --tap-max-traces 10

CLI Options

All flags are forwarded to the selected client, except these --tap-* ones:

--tap-client CLIENT      Client to launch: claude (default) or codex
--tap-target URL         Upstream API URL (default: auto per client)
--tap-live               Start real-time viewer (auto-opens browser)
--tap-live-port PORT     Port for live viewer server (default: auto)
--tap-no-open            Don't auto-open HTML viewer after exit (on by default)
--tap-output-dir DIR     Trace output directory (default: ./.traces)
--tap-port PORT          Proxy port (default: auto)
--tap-host HOST          Bind address (default: 127.0.0.1, or 0.0.0.0 in --tap-no-launch mode)
--tap-no-launch          Only start the proxy, don't launch client
--tap-max-traces N       Max trace sessions to keep (default: 50, 0 = unlimited)
--tap-no-update-check    Disable PyPI update check on startup
--tap-no-auto-update     Check for updates but don't auto-download
--tap-proxy-mode MODE    Proxy mode: reverse (default) or forward

Viewer Features

The viewer is a single self-contained HTML file (zero external dependencies):

  • Structural diff — compare consecutive requests to see exactly what changed: new/removed messages, system prompt diffs, character-level inline highlighting
  • Path filtering — filter by API endpoint (e.g., /v1/messages only)
  • Model grouping — sidebar groups requests by model (Opus > Sonnet > Haiku)
  • Token usage breakdown — input / output / cache read / cache creation
  • Tool inspector — expandable cards with tool name, description, and parameter schema
  • Search — full-text search across messages, tools, prompts, and responses
  • Dark mode — toggle light/dark themes (respects system preference)
  • Keyboard navigationj/k or arrow keys
  • Copy helpers — one-click copy of request JSON or cURL command
  • i18n — English, 简体中文, 日本語, 한국어, Français, العربية, Deutsch, Русский

Architecture

Architecture

How it works:

  1. claude-tap starts a reverse proxy and spawns the selected client (claude or codex) with the provider-specific base URL pointing to it
  2. All API requests flow through the proxy → upstream API → back through proxy
  3. SSE streaming responses are forwarded in real-time (zero added latency)
  4. Each request-response pair is recorded to trace.jsonl
  5. On exit, a self-contained HTML viewer is generated
  6. Live mode (optional) broadcasts updates to browser via SSE

Key features: 🔒 API keys auto-redacted · ⚡ Zero latency · 📦 Self-contained viewer · 🔄 Real-time live mode

Contributor Legibility Checks

Run deterministic legibility checks locally:

uv run python scripts/check_legibility.py

Strict freshness mode (promotes stale standards metadata to failures):

uv run python scripts/check_legibility.py --strict-freshness

PR Merge-Readiness Check

Run a concise merge-readiness report for a pull request:

scripts/check_pr.sh <pr_number>

Options:

# Use an explicit repo instead of current checkout
scripts/check_pr.sh <pr_number> --repo owner/repo

# Skip local gates (CI/metadata only)
scripts/check_pr.sh <pr_number> --no-tests

The script prints:

  • PR metadata (title, state, draft flag, merge state, head/base branch)
  • CI checks summary (pass / fail / pending counts)
  • Local gate results (unless --no-tests)
  • Final verdict line: VERDICT: READY ... or VERDICT: NOT_READY ...

Local gates executed by default:

uv run ruff check .
uv run ruff format --check .
uv run pytest tests/ -x --timeout=60

License

MIT

Reviews (0)

No results found