HTTP reference

CLI Finder Registry API

Search CLI tools, read evidence, and generate agent-ready artifacts through unauthenticated, read-only JSON endpoints.

Quick Request

The base URL is https://clifinder.net. Every public registry endpoint accepts GET or OPTIONS and requires no API key.

curl
curl --get 'https://clifinder.net/api/registry/tools' \
  --data-urlencode 'q=review pull requests' \
  --data-urlencode 'agent=codex' \
  --data-urlencode 'environment=headless' \
  --data-urlencode 'maxRisk=R1' \
  --data-urlencode 'output=json' \
  --data-urlencode 'limit=5'

Success response envelope

Public /api/registry/* endpoints return { code: 0, message: "ok", data: ... }. Clients should check code and data rather than treating HTTP 200 alone as the complete success condition.

Endpoints

Search returns match reasons with complete tool objects, detail returns one complete tool, and artifact generation returns a filename, media type, and textual content.

GET/api/registry/tools
Search tools
Full-task search with multidimensional filters. The default limit is 20 and can be set from 1 to 100.
curl
curl -s 'https://clifinder.net/api/registry/tools?q=parse%20json&maxRisk=R1&limit=3'
GET/api/registry/use-cases
List use cases
Read every bilingual agent workflow with its tool stack, inputs, outputs, steps, approval points, rollback, and evidence. This endpoint accepts no query parameters.
curl
curl -s 'https://clifinder.net/api/registry/use-cases'
GET/api/registry/use-cases/:slug
Read use-case detail
Read one complete workflow by slug. Both en and zh content are returned so clients can select a locale locally.
curl
curl -s 'https://clifinder.net/api/registry/use-cases/review-github-prs'
GET/api/registry/tools/:slug
Read tool detail
Read installation, authentication, output, commands, readiness, risk, evidence, and compatibility. This endpoint accepts no query parameters.
curl
curl -s 'https://clifinder.net/api/registry/tools/github-cli'
GET/api/registry/artifacts/:slug
Generate an artifact
type is required; agent and mode are optional. The generated file text is returned in data.content.
curl + jq
curl -s 'https://clifinder.net/api/registry/artifacts/github-cli?type=skill-md&agent=codex&mode=read-only' \
  | jq -r '.data.content'
GET/registry.json
Sync the full manifest
Returns schemaVersion, update time, categories, tools, and legacy slug redirects directly, without the code/message/data envelope.
curl
curl -s 'https://clifinder.net/registry.json' -o registry.json

Search Parameters

Each parameter may appear once. agent, environment, risk, category, and evidence accept comma-separated values; maxRisk accepts one value; unknown parameters return HTTP 400.

ParameterValuesMeaning
qstring ≤ 200Task, tool name, or capability phrase; omit it to browse all tools through filters.
agentclaude-code, codex, gemini-cli, copilot-cliFilter by explicitly recorded agent compatibility; comma-separated values are accepted. All four agents can invoke a shell, so compatibility must not be read as executed verification.
environmentlocal, ci, container, headless, remoteFilter by explicitly recorded runtime environment. An absent environment means the registry does not claim compatibility, not that execution is impossible.
riskR0, R1, R2, R3Match tools with commands at the requested risk level; risk is a command-level signal.
maxRiskR0, R1, R2, R3Return only tools whose maximumLevel does not exceed this value. It matches the website maximum-risk filter and accepts one value.
outputformat stringMatch a recorded output format such as json, yaml, or csv; comma-separated values are accepted.
categorycode-collaboration, deployment-cloud, containers-kubernetes, databases, data-text, http-webhooks, web-automation, security, operations-infrastructureFilter by registry category slug; comma-separated values are accepted.
evidenceverified, docs-verified, maintainer-submitted, community-reported, unverifiedFilter by evidence confidence, which is separate from readiness and low risk.
limit1–100; default 20Limit the number of returned items; total still reports every match.

Artifact Types

A type is required for /api/registry/artifacts/:slug. mode accepts read-only, standard, or advanced; agent accepts claude-code, codex, gemini-cli, or copilot-cli.

typeFilenamePurpose
skill-mdSKILL.mdAn agent-facing tool skill.
agents-mdAGENTS.mdAgent instructions that can be incorporated into a repository.
claude-mdCLAUDE.mdA Claude Code instruction fragment that can be incorporated into CLAUDE.md.
claude-policyclaude-settings.jsonA command policy for an agent or shell.
codex-policycodex-policy.rulesA command policy for an agent or shell.
gemini-policygemini-policy.tomlA command policy for an agent or shell.
shell-allowlistshell-allowlist.txtA command policy for an agent or shell.
manifest-jsonclifinder.jsonA machine-readable manifest for one tool.
manifest-yamlclifinder.yamlA machine-readable manifest for one tool.
manifest-schemaclifinder.schema.jsonAn independent JSON Schema for validating a single-tool manifest.
dockerfileDockerfileA runtime file for an automation project.
github-actionsclifinder.ymlA runtime file for an automation project.

Policy type constraints

claude-policy supports agent=claude-code, codex-policy supports agent=codex, and gemini-policy supports agent=gemini-cli. If agent is omitted, the service infers it from the policy type; conflicting combinations return HTTP 400.

Safety mode boundaries

read-only keeps R0 and forbids R1-R3; standard prompts for R1 by default and forbids R2-R3; advanced may expand R2 to explicit approval while still forbidding R3. Only an individually audited R0/R1 prefix marked suffix-safe can be auto-allowed; every other available prefix prompts.

Responses, Errors, and Caching

API errors use an HTTP status with code=-1 and are never cached. Preserve message for diagnostics, but do not branch on its text.

Success example

application/json
{
  "code": 0,
  "message": "ok",
  "data": {
    "query": "review pull requests",
    "filters": { "agent": "codex", "maxRisk": "R1" },
    "items": [],
    "total": 0,
    "limit": 5
  }
}

Error example

HTTP 400 · application/json
{
  "code": -1,
  "message": "Limit must be an integer between 1 and 100"
}
StatusScenarioHandling
200code=0The request succeeded; read data. An empty search also returns 200 with empty items.
204OPTIONSA successful CORS preflight with no body.
400code=-1Missing type, unknown or duplicate parameter, invalid enum, limit, or slug.
404code=-1The slug format is valid, but the tool is absent from the registry.

CORS

Access-Control-Allow-Origin is *, GET and OPTIONS are allowed, and a preflight can be cached for 86400 seconds.

Cache policy

API: 60 seconds in browsers, 300 seconds in shared caches, and 86400 seconds stale-while-revalidate. registry.json: 300 seconds in browsers and 3600 in shared caches. Errors are no-store.