lude-tap

An MCP server that taps your real Chrome's HTTP traffic so Claude Code and Codex CLI can inspect requests and responses while you debug.

You keep using your normal Chrome — same profile, same work account, same extensions, same tabs. lude-tap attaches via the Chrome DevTools Protocol, persists every request/response to a local SQLite database, and exposes it to your AI coding agent through nine MCP tools.

┌─────────────────────────┐         ┌─────────────────────────┐
│ Your real Chrome        │   CDP   │ lude-tap capture        │
│ (same profile, work     │ ──────► │  ─ Playwright over      │
│  Google account, all    │ :9222   │    --remote-debugging   │
│  extensions, all tabs)  │         │  ─ writes to SQLite     │
└─────────────────────────┘         └────────────┬────────────┘
                                                 │
                                       ~/.lude-tap/db.sqlite
                                                 │
                                    ┌────────────▼────────────┐
                                    │ lude-tap serve          │
                                    │  ─ MCP stdio server     │
                                    │  ─ 9 read-mostly tools  │
                                    └────────────┬────────────┘
                                                 │
                                          stdio (JSON-RPC)
                                                 │
                              ┌──────────────────┴──────────────────┐
                              │                                     │
                       Claude Code                              Codex CLI

Features

• Attach to your real Chrome via CDP — no separate Chromium, no proxy, no CA cert
• Captures every XHR, fetch, document load, redirect, websocket open, failed request
• Local SQLite store with full-text search (FTS5) over URLs and bodies
• Secret redaction by default — Authorization, Cookie, Set-Cookie, API keys, JWTs, Stripe/AWS/GitHub/OpenAI/Anthropic tokens
• Body cap at 256KB (truncates tail), skips binary types entirely
• Retention: 50,000 rows / 30 days (whichever first)
• Read-mostly MCP surface — the only write is the mark bookmark tool
• Single npm package, works on macOS and Linux

Install

npm install -g lude-tap

Requires Node ≥ 22 and Google Chrome (or Chromium).

Quick start

1. Start capture in one terminal:

lude-tap capture

This will:

• If Chrome is not running, launch it with --remote-debugging-port=9222 using your default profile (all your tabs, accounts, extensions are preserved).
• If Chrome is running with debug port open, just attach.
• If Chrome is running without the debug port, ask you to quit it (Cmd+Q) and run again.

Leave this terminal open while you use Chrome normally. Every request is being captured.

2. Wire the MCP server into your agent:

For Claude Code:

claude mcp add lude-tap --scope user -- lude-tap serve

For Codex CLI (~/.codex/config.toml):

[mcp_servers.lude-tap]
command = "lude-tap"
args = ["serve"]

3. Ask your agent things like:

• "Show me requests in the last 5 minutes"
• "Why did the checkout POST fail?"
• "List all 4xx and 5xx errors in the last 15 minutes"
• "Find any request whose response body mentions invalid token"
• "Diff the response of request 17 against request 19"

MCP tools

Tool	Purpose
list_recent	Compact table of recent requests (by window, URL filter, status class, host)
get_request	Full detail for one request: headers + bodies
get_response	Just the response side: status, headers, body
search	Full-text search across URLs and bodies via SQLite FTS5
summarize	Endpoint frequency, status distribution, slowest — for a window
errors	Shortcut: failed + 4xx/5xx in a window
diff	Line-level diff of two requests' bodies (request or response side)
mark	Drop a named bookmark at current capture time, or list: true to list
tail	Cursor-style: return all rows with id > since_id, oldest first

Common arguments: window accepts 30s, 5m, 1h, 1d — strings parsed by parseWindow.

CLI

lude-tap capture [--port=9222] [--no-launch]
    Attach to Chrome via the DevTools Protocol. Launches Chrome with debug
    port if not already running.

lude-tap serve
    Run the MCP stdio server (used by Claude Code / Codex CLI).

lude-tap status
    Show captured row count and DB path.

lude-tap clear --yes
    Wipe the entire capture database (db.sqlite + WAL files).

lude-tap --help, lude-tap --version

Configuration

Optional config at ~/.lude-tap/config.json:

{
  "enabled": true,
  "extra_headers": ["x-internal-token"],
  "exclude_hosts": ["www.google-analytics.com", "*.segment.io"]
}

• enabled — toggle redaction (default: true, leave on)
• extra_headers — additional header names to redact
• exclude_hosts — host patterns to skip entirely (exact match or *.example.com suffix)

Environment variables:

• LUDE_TAP_HOME — override storage dir (default: ~/.lude-tap)
• LUDE_TAP_CHROME — override Chrome executable path
• LUDE_TAP_LOG — log level: debug | info | warn | error (default: info)

Security & privacy

Read this before installing.

lude-tap captures all HTTP/HTTPS traffic that flows through your Chrome while capture is running. That includes everything you do in Chrome — work apps, GitHub, GMail, Slack, banking, social, etc. The data sits in a plaintext SQLite database on your machine.

By default:

• Sensitive headers (Authorization, Cookie, Set-Cookie, common API key headers) are replaced with [REDACTED] before storage.
• Sensitive JSON keys (password, token, api_key, etc.) are replaced inside request/response bodies.
• Common secret patterns (JWTs, Stripe sk_live_* / sk_test_*, GitHub ghp_*, AWS AKIA*, OpenAI sk-*, Anthropic sk-ant-*, Google AIza*, Slack xox*) are stripped from any body text.
• Binary responses (images, video, audio, fonts, PDFs, zips, WASM) are not stored — just their size and content-type.

Even so:

• Redaction is best-effort, not a guarantee. Custom auth schemes, encoded tokens, or unusual body formats may slip through.
• The MCP server exposes the DB to whatever AI agent connects. Only run it with agents you trust.
• Wipe the DB any time: lude-tap clear --yes.
• Stop capture by closing the terminal running lude-tap capture or pressing Ctrl+C.

lude-tap runs entirely on your machine. No traffic leaves it. No telemetry.

How it works

1. lude-tap capture looks at http://127.0.0.1:9222/json/version. If reachable, Chrome is already running with the debug port — attach.
2. Otherwise, if Chrome is running, prompt the user to quit it (two processes can't share a profile).
3. Otherwise, launch Chrome with --remote-debugging-port=9222 (and your normal user-data-dir, so everything is preserved).
4. Wait for the port to come up, then chromium.connectOverCDP({ endpointURL }) via playwright-core.
5. Listen at the browser-context level for request, response, requestfailed.
6. Normalize each event: decode body bytes, detect binary, truncate over 256KB, apply redaction.
7. Write to SQLite. WAL mode lets the MCP server read the same DB concurrently.
8. The MCP server (lude-tap serve) is a separate process spawned by Claude Code / Codex CLI over stdio. It reads from SQLite and exposes the 9 tools.

What it does not capture

• Traffic from any browser other than the Chrome you launched (or attached to).
• Traffic from native apps, mobile simulators, or server-side outbound calls.
• Traffic from curl, Postman, HTTPie.

These can be added later with a proxy mode or server-side middleware — the SQLite schema is source-agnostic.

Development

git clone https://github.com/dimitris-di/lude-tap.git
cd lude-tap
npm install
npm run check     # typecheck + format check + tests
npm run build
npm run dev:capture
npm run dev:serve

License

MIT — see LICENSE.