Tamis — sieve a page for its tags
A tamis is a drum sieve: you push the whole network through it and what's left in the mesh is the ad-tech. The point isn't just to list tags — it's to identify them by vendor, because tag names collide (the worked example below is a "Lantern" that turned out to be an affiliate tracker, not the ITV product someone assumed).
When to use
- "What tags fire on
site?" / "audit this site's tracking" / "which vendors does it use?" - "Is there a
<vendor>tag on this page?" — and you need to confirm the vendor, not trust the name. - You want the post-consent picture ("accept all cookies, then show me everything").
- You're on a network (ControlD, uBlock, a corporate DoH ban) that hides the ad-tech from a normal browser.
When NOT to use
- Reading page content or general automation → use the passe skill directly.
- You only need one known endpoint's response →
passe fetch/passe captureis enough. - You need a specific country's view of geo-targeted tags → see the geo caveat; this host exits from one fixed location.
Precondition: the DoH escape hatch (one-time)
This host's DNS is filtered (ControlD via the tailnet resolver) — ad/martech domains
resolve to 0.0.0.0. The fix is a Chrome managed policy doing DoH straight to the
IP literal 1.1.1.1 (a hostname DoH template fails — ControlD poisons the bootstrap
names too; command-line --dns-over-https-* flags are ignored on Linux, only the policy
takes). tag_scan.py checks for the policy and prints the one-line install if it's missing:
echo '{"DnsOverHttpsMode":"secure","DnsOverHttpsTemplates":"https://1.1.1.1/dns-query"}' \
| sudo tee /etc/chromium/policies/managed/doh-escape-hatch.json
Safe alongside the existing passe Chrome (port 9222): that instance uses a SOCKS5 proxy, which does its own remote DNS, so the policy never affects it. Policy applies on restart only.
Workflow
1. Scout the cookie banner (don't guess the button text)
passe --cdp http://127.0.0.1:9333 run -c 'goto https://SITE/; wait 3; ax-find button'
Read off the real "Accept all" label (it varies: "Accept all cookies", "I Accept", "Agree", …).
If tag_scan.py auto-launches Chrome on first run, run this after the first scan, or launch
Chrome yourself first (see script --port).
2. Scan
${CLAUDE_SKILL_DIR}/scripts/tag_scan.py https://SITE/ --accept "Accept all cookies"
Prints requests grouped by vendor + category, the observed consent state, and an
UNKNOWN list of hosts it couldn't label. Add --json for machine output, --screenshot /tmp/s.jpg for a visual, --wait 12 for slow tag stacks. Omit --accept for the pre-consent state.
Success criteria: the consent line reads granted (G111) (the accept click worked — Google
calls flip gcs=G100→G111); the host count is in the dozens, not single digits (tags fired).
A single-digit host count usually means the banner wasn't dismissed or DNS is still filtered.
3. Identify the unknowns and confirm suspects
For each UNKNOWN host — and for any tag whose name is the actual question — confirm the vendor, don't trust the label:
- Check
references/tag-taxonomy.mdfirst. - Fetch the tag's own script and read its config (it usually self-identifies):
(plaincurl -s --doh-url https://1.1.1.1/dns-query 'https://HOST/path/to/tag.js' | head -c 1000curlis DNS-filtered here — the--doh-urlflag routes round it.) WebSearchthe bare domain + "tracking" / "vendor" / "affiliate".- Add confirmed vendors to
references/tag-taxonomy.md.
Worked example — "there's a Lantern tag on virginmedia.com"
An agency claimed a Lantern tag was live on virginmedia.com; the worry was a premature
ITV-Lantern release. The scan found lantern.roeye.com + lantern.roeyecdn.com. Fetching
lantern_global_6399.min.js showed it hardcoded site=virginmedia, dropped a first-party
lantern=<uuid> cookie with a 30-day window, and only beaconed on external referrers or on
a conversion (order_id/order_value) — textbook affiliate attribution. A web search
identified R.O.EYE, a Manchester affiliate agency. Verdict: name collision, not ITV
Lantern. (Corroborated by Awin — dwin1.com — firing alongside it.) The lesson the skill
encodes: a tag's name is a hypothesis; its script and its vendor are the evidence.
Geo caveat
This host exits from one fixed datacentre location (Hetzner, currently Nuremberg DE), and it's a datacentre IP. So:
- Geo-targeted content, redirects, and regional ad partners can differ from a UK (or any other) visitor's view.
- The EU vantage actually helps this use case — you get the full GDPR/TCF consent banner, i.e. the maximal partner set ("accept all N partners").
- Bot-sensitive sites may treat a DC IP differently from a residential one.
- Need a specific country? Route Chrome through a proxy/exit node there — but note a SOCKS5 proxy does its own remote DNS, which replaces the DoH bypass (fine if that proxy's DNS is itself clean; you then don't need the policy).
Anti-patterns
| Anti-Pattern | Problem | Fix |
|---|---|---|
| Trusting a tag because its name matches a product | Name collisions give a false ID (the "Lantern" trap) | Fetch its script + confirm the vendor |
| Guessing the cookie-banner button text | Wrong selector → banner never dismissed, tags don't fire | ax-find button first (step 1) |
| Concluding "no tags" from a single-digit host count | The banner wasn't dismissed, or DNS is still filtered | Check the consent flip + that the policy is present |
| Using plain curl/dig to fetch a blocked tag here | ControlD resolves it to 0.0.0.0 → the fetch fails | curl --doh-url https://1.1.1.1/dns-query … |
| Reporting one site's tags as authoritative for all geos | This host exits Nuremberg DE — geo-targeted tags differ | State the vantage (geo caveat) |
Integration
- passe — does the actual CDP capture; tamis is the tag-identification layer on top.
- deglacer / consomme — unrelated; tamis is network-capture, not session/BigQuery analysis.
- Reusable rig + gotchas also live in global memory (
doh-tag-escape-hatch).