/decompose — reverse-engineer an undocumented API surface

Take a target you can legitimately access — a hosted web API (with or without authentication) or a smart device on your own LAN — and produce: an enumerated endpoint list (or topic / resource / characteristic map for non-HTTP protocols), a draft OpenAPI spec (or Postman collection / annotated catalog), the auth flow documented end-to-end where one exists (refresh / pairing), and a working command-line or script client. The skill is ordered by efficiency-of-discovery — the cheapest phases come first, because the API is often already documented somewhere (Postman public workspaces for web; Home Assistant integrations for IoT) and passive observation gets you 60–80% of the surface before any proxy or deobfuscator is touched.

The skill works equally for: public, unauthenticated APIs (the API behind a public website; an open data portal whose docs aren't current); private/authenticated APIs (a SaaS dashboard you log into); and LAN smart devices.

When to use

• User says "/decompose", "reverse engineer the API for X", "find the endpoints behind X", "build a client for this internal app", or wants an OpenAPI for a service that has none.
• A public website calls an API the maintainers don't document (open data, transit, weather, sports, real-estate listings, etc.) and the user wants programmatic access.
• A product the user uses has no public API but a working web client they are logged into.
• A smart device on the user's LAN (light, plug, thermostat, camera, robot vac, hub) has no documented local API and the user wants to control it locally or integrate it with Home Assistant / Node-RED / their own code.
• A bug-bounty target is in scope and the user wants to map the surface.
• A CTF / research engagement requires understanding an undocumented backend.

When NOT to use