Improve skill

Author: itssimon

AGENTS.md

@@ -2,7 +2,7 @@
 
 ## Product Overview
 
-[Apitally](https://apitally.io) is an API monitoring and analytics tool. This is a CLI tool for humans and AI agents. It retrieves data from the Apitally API and outputs it in NDJSON format, or optionally stores it in a local DuckDB database and allows running arbitrary SQL queries against it.
+[Apitally](https://apitally.io) is an API monitoring and analytics tool. This is a CLI tool for AI agents and humans. It retrieves data from the Apitally API and outputs it in NDJSON format, or optionally stores it in a local DuckDB database and allows running arbitrary SQL queries against it.
 
 ## Repository Structure
 
@@ -20,6 +20,10 @@ src/
 npm/
   cli.js                Thin wrapper that spawns the native binary
   install.js            postinstall script that downloads the correct binary
+skills/
+  apitally-cli/         Agent skill: guides AI agents through using the CLI to investigate API issues
+    SKILL.md            Workflow, command reference, investigation patterns, SQL examples
+    references/         Detailed command and table schema references
 ```
 
 ## Tech Stack
@@ -82,7 +86,7 @@ Triggered by publishing a GitHub release. Two jobs:
 
 ### Module `run()` functions
 
-Each command module exposes a `pub fn run(...)` that does all the work: resolve auth, call the API, write output. The last parameter is always `impl Write` (stdout in production, `Vec<u8>` in tests). Data goes to the writer (stdout), human messages and progress go to stderr.
+Each command module exposes a `pub fn run(...)` that does all the work: resolve auth, call the API, write output. The last parameter is `impl Write` (stdout in production, `Vec<u8>` in tests), except `auth::run` which takes `&mut impl Read` (stdin) instead. Data goes to the writer (stdout), human messages and progress go to stderr.
 
 ### Error handling and exit codes
 
@@ -100,10 +104,6 @@ Exit code 2 comes from clap (usage errors). `check_response` in `utils.rs` centr
 
 API requests use `api_get`/`api_post` helpers in `utils.rs`. API key is sent as the `Api-Key` header.
 
-### request-logs dual format
-
-The `request-logs` command sends `format: "ndjson"` or `format: "arrow"` depending on whether `--db` is given. NDJSON mode is a raw passthrough (`io::copy` from response to stdout). Arrow mode streams Arrow IPC batches into a DuckDB staging table, then does `INSERT OR REPLACE` into the final table.
-
 ## Tests
 
 Inline `#[cfg(test)] mod tests` in each source file. Run with `cargo test`.
@@ -123,3 +123,4 @@ Inline `#[cfg(test)] mod tests` in each source file. Run with `cargo test`.
 - Verify work compiles and passes `cargo clippy` before considering a task complete
 - Keep user-facing output concise
 - Use inline comments sparingly — only to explain non-obvious intent
+- When changing CLI commands, flags, output format, or DuckDB schemas, update the agent skill in `skills/apitally-cli/` (including its `references/` docs) to reflect those changes

skills/apitally-cli/SKILL.md

@@ -11,25 +11,45 @@ description: >
 
 # Apitally CLI
 
-The Apitally CLI retrieves API request log data from [Apitally](https://apitally.io) and optionally stores it in a local DuckDB database for investigation with SQL. Each record is an individual API request with method, URL, status code, response time, consumer, headers, payloads, exceptions, and more. Request log retention is **15 days**. Older data is not available.
+The Apitally CLI retrieves API request log data from [Apitally](https://apitally.io) and optionally stores it in a local DuckDB database for investigation with SQL. Each record is an individual API request with method, URL, status code, response time, consumer, headers, payloads, exceptions, and more. Request log retention is **15 days**.
 
-Run commands with npx (no install needed):
+Run commands with `npx` (no install needed):
 
 ```
 npx @apitally/cli <command> [--api-key <key>]
 ```
 
+A team-scoped API key is required to use the CLI. The `auth` command writes the provided API key to `~/.apitally/auth.json`. It's then used by all subsequent commands unless overridden by the `--api-key` flag.
+
 All commands output NDJSON to stdout by default. With `--db`, data is written to a DuckDB database instead (`~/.apitally/data.duckdb` by default), enabling SQL queries via the `sql` command.
 
-A team-scoped API key is required to use the CLI. The `auth` command writes the provided API key to `~/.apitally/auth.json`. It's then used by all subsequent commands unless overridden by the `--api-key` flag.
+## Key Concepts
+
+- **App and environment** — An app is a monitored API application, identified by a numeric `app_id`. Each app has one or more environments (e.g. "prod", "dev"). The `env` field on request logs is a string matching the environment name.
+- **Consumer** — An API client or user tracked by Apitally. `consumer_id` is a numeric internal ID (surrogate key, used in request log filters and JOINs). `identifier` is a string set by the application (e.g. email, username) to uniquely identify the consumer. `name` is a display name (auto-generated from `identifier` if not explicitly set). `group` is an optional group name.
+- **Path vs URL** — `path` is the parameterized route template (e.g. `/users/{user_id}`), good for grouping by endpoint. `url` is the full request URL with actual values and query parameters (e.g. `https://api.example.com/users/123?limit=10`).
+- **Application logs** — Server-side log entries emitted by application code during request handling. Only available via `request-details` as the `logs` field.
+- **Spans** — OpenTelemetry trace spans representing units of work during request handling (e.g. database queries, external API calls, instrumented function calls). Only available via `request-details`. Form a tree via `parent_span_id`.
+
+## Command Quick Reference
+
+All commands are run via `npx @apitally/cli <command>`. For full details, see [references/commands.md](references/commands.md).
+
+- `auth [--api-key <key>]` -- configure API key
+- `whoami` -- check auth, show team
+- `apps [--db [<path>]]` -- list apps (get app IDs)
+- `consumers <app-id> [--requests-since <dt>] [--db [<path>]]` -- list consumers for an app (get consumer IDs)
+- `request-logs <app-id> --since <dt> [--until <dt>] [--fields <json>] [--filters <json>] [--limit <n>] [--db [<path>]]` -- fetch request logs (max 1,000,000 rows at once)
+- `request-details <app-id> <request-uuid> [--db [<path>]]` -- fetch full details for a single request (including headers, payloads, exception info, application logs, and spans)
+- `sql "<query>" [--db <path>]` -- run SQL against local DuckDB
 
 ## Workflow
 
-1. **Check authentication** -- run `npx @apitally/cli whoami`. If it fails, ask the user to provide their Apitally API key or run `npx @apitally/cli auth` themselves. Explain that API keys can be created in the Apitally dashboard under Settings > API keys (https://app.apitally.io/settings/api-keys). If the user provides a key, run `npx @apitally/cli auth --api-key <key>` to store it.
+1. **Check authentication** — run `npx @apitally/cli whoami`. If it fails, ask the user to provide their Apitally API key or run `npx @apitally/cli auth` themselves. Explain that API keys can be created in the Apitally dashboard under Settings > API keys (https://app.apitally.io/settings/api-keys). If the user provides a key, run `npx @apitally/cli auth --api-key <key>` to store it.
 
-2. **Identify the app** -- run `npx @apitally/cli apps` to list apps and get their IDs. If there is only one app, use it. Otherwise, if the correct app can't be inferred from the user's previous messages, ask the user which app they mean.
+2. **Identify the app** — run `npx @apitally/cli apps` to list apps and get their IDs. If there is more than one app, and the correct app can't be inferred from the user's messages, ask the user which app they mean.
 
-3. **Determine if consumers are involved** -- decide which scenario applies:
+3. **Determine if consumers are involved** — decide which scenario applies:
    - **(a) Specific consumer(s)**: the user is asking about specific consumers (e.g. by email, name, or group). Fetch consumers first, then query to find the matching `consumer_id`, then use it as a filter when fetching request logs.
    - **(b) Consumer context needed**: the investigation involves consumers but not specific ones known upfront (e.g. "which consumers cause the most errors"). Fetch consumers into DuckDB for later JOINs with request logs.
    - **(c) No consumer involvement**: skip fetching consumers.
@@ -65,66 +85,12 @@ A team-scoped API key is required to use the CLI. The `auth` command writes the
    npx @apitally/cli sql "SELECT method, path, status_code, COUNT(*) as n FROM request_logs WHERE status_code >= 400 GROUP BY ALL ORDER BY n DESC"
    ```
 
-7. **Iterate** -- refine filters, fetch additional fields (headers, bodies, exceptions), or widen the time range as needed
-
-## Command Quick Reference
-
-All commands are run via `npx @apitally/cli <command>`. For full details, see [references/commands.md](references/commands.md).
-
-- `auth [--api-key <key>]` -- configure API key
-- `whoami` -- check auth, show team
-- `apps [--db [<path>]]` -- list apps (get app IDs)
-- `consumers <app-id> [--requests-since <dt>] [--db [<path>]]` -- list consumers for an app
-- `request-logs <app-id> --since <dt> [--until <dt>] [--fields <json>] [--filters <json>] [--limit <n>] [--db [<path>]]` -- fetch request logs (max 1,000,000 rows at once)
-- `request-details <app-id> <request-uuid> [--db [<path>]]` -- fetch full details for a single request (headers, body, logs, spans)
-- `sql "<query>" [--db <path>]` -- run SQL against local DuckDB
+7. **Iterate** — refine filters, fetch additional fields (headers, bodies, exceptions), or widen the time range as needed.
 
 ## Investigation Patterns
 
 For DuckDB table schemas, see [references/tables.md](references/tables.md).
 
-### Find failing requests
-
-```sql
-SELECT timestamp, method, path, status_code, response_time_ms, client_ip
-FROM request_logs
-WHERE status_code >= 400
-ORDER BY timestamp DESC
-LIMIT 50
-```
-
-### Error breakdown by endpoint
-
-```sql
-SELECT method, path, status_code, COUNT(*) as count
-FROM request_logs
-WHERE status_code >= 400
-GROUP BY method, path, status_code
-ORDER BY count DESC
-```
-
-### Find slow requests
-
-```sql
-SELECT timestamp, method, path, status_code, response_time_ms
-FROM request_logs
-ORDER BY response_time_ms DESC
-LIMIT 20
-```
-
-### Response time by endpoint (p50, p95)
-
-```sql
-SELECT method, path,
-       COUNT(*) as count,
-       ROUND(quantile_cont(response_time_ms, 0.5)) as p50_ms,
-       ROUND(quantile_cont(response_time_ms, 0.95)) as p95_ms,
-       MAX(response_time_ms) as max_ms
-FROM request_logs
-GROUP BY method, path
-ORDER BY p95_ms DESC
-```
-
 ### Inspect a specific request
 
 Use `request-details` to fetch full details (headers, body, exception, application logs, spans) for a single request:
@@ -203,16 +169,6 @@ WHERE response_body_json IS NOT NULL
   AND (response_body_json->>'error') IS NOT NULL
 ```
 
-### Requests by country
-
-```sql
-SELECT client_country_iso_code, COUNT(*) as count
-FROM request_logs
-WHERE client_country_iso_code IS NOT NULL
-GROUP BY client_country_iso_code
-ORDER BY count DESC
-```
-
 ## Exit Codes
 
 | Code | Meaning                         |

skills/apitally-cli/references/tables.md

@@ -8,7 +8,7 @@ Tables are created automatically when using the `--db` flag with `apps`, `consum
 CREATE TABLE apps (
     app_id          INTEGER NOT NULL UNIQUE,
     name            TEXT NOT NULL,
-    framework       TEXT NOT NULL,
+    framework       TEXT NOT NULL,            -- e.g. FastAPI, Express
     client_id       TEXT NOT NULL,
     created_at      TIMESTAMPTZ NOT NULL
 );
@@ -33,9 +33,9 @@ CREATE TABLE app_envs (
 CREATE TABLE consumers (
     app_id          INTEGER NOT NULL,
     consumer_id     INTEGER NOT NULL,
-    identifier      TEXT NOT NULL,
-    name            TEXT NOT NULL,
-    "group"         TEXT,
+    identifier      TEXT NOT NULL,             -- e.g. email, username, API key name
+    name            TEXT NOT NULL,             -- auto-generated from identifier if not set
+    "group"         TEXT,                      -- optional consumer group name
     created_at      TIMESTAMPTZ NOT NULL,
     last_request_at TIMESTAMPTZ,
     UNIQUE (app_id, consumer_id)
@@ -51,11 +51,11 @@ CREATE TABLE request_logs (
     app_id                  INTEGER NOT NULL,
     timestamp               TIMESTAMPTZ NOT NULL,
     request_uuid            VARCHAR NOT NULL,
-    env                     VARCHAR,
+    env                     VARCHAR,            -- environment name, e.g. "prod"
     method                  VARCHAR NOT NULL,
-    path                    VARCHAR,
-    url                     VARCHAR NOT NULL,
-    consumer_id             INTEGER,
+    path                    VARCHAR,            -- parameterized route template, e.g. /users/{user_id}
+    url                     VARCHAR NOT NULL,   -- full URL with actual path values, e.g. https://api.example.com/users/123
+    consumer_id             INTEGER,            -- references consumers.consumer_id
     request_headers         STRUCT(name VARCHAR, value VARCHAR)[],
     request_size_bytes      BIGINT,
     request_body_json       JSON,
@@ -70,7 +70,7 @@ CREATE TABLE request_logs (
     exception_message       VARCHAR,
     exception_stacktrace    VARCHAR,
     sentry_event_id         VARCHAR,
-    trace_id                VARCHAR,
+    trace_id                VARCHAR,            -- OpenTelemetry trace ID (hex)
     UNIQUE (app_id, request_uuid)
 );
 ```
@@ -100,14 +100,14 @@ Populated by the `request-details` command when using `--db`.
 CREATE TABLE spans (
     app_id         INTEGER NOT NULL,
     request_uuid   VARCHAR NOT NULL,
-    span_id        VARCHAR NOT NULL,
+    span_id        VARCHAR NOT NULL,          -- OpenTelemetry span ID (hex)
     parent_span_id VARCHAR,
     name           VARCHAR NOT NULL,
-    kind           VARCHAR NOT NULL,
-    start_time_ns  BIGINT NOT NULL,
-    end_time_ns    BIGINT NOT NULL,
+    kind           VARCHAR NOT NULL,          -- e.g. SERVER, CLIENT, INTERNAL
+    start_time_ns  BIGINT NOT NULL,           -- Unix epoch nanoseconds
+    end_time_ns    BIGINT NOT NULL,           -- Unix epoch nanoseconds
     duration_ns    BIGINT NOT NULL,
-    status         VARCHAR NOT NULL,
+    status         VARCHAR NOT NULL,          -- e.g. OK, ERROR, UNSET
     attributes     JSON
 );
 ```