Tariff-Exposure Data Pipeline — A Resumable, Cloudflare-Resilient Scraper

The Brief

Find likely tariff-exposed U.S. importers from public Bill-of-Lading data, then package the result as a clean, deduplicated file an analyst could triage immediately. The system needed to survive real browser defenses, avoid wasteful proxy churn, recover from long-run failures, and make every scoring decision traceable.

Project Type

Public-data scraping, normalization, and confidence scoring pipeline.

Domain

Trade data and tariff-exposure analysis for U.S. imports from tariff-affected regions.

Source

Public ImportYeti.com pages republishing U.S. customs Bill-of-Lading data.

Architecture

Six-stage pipeline backed by one SQLite database in WAL mode.

Concurrency

Kameleo + Playwright worker processes, each assigned a non-overlapping proxy slice.

Deliverables

CSV, XLSX, and streaming JSONL exports of confidence-scored company records.

The Problem

U.S. companies that import goods from China and other tariff-affected regions may be eligible for duty refunds, exclusions, or other tariff-relief programs — but identifying which companies are exposed is a manual research slog. The underlying evidence (Bills of Lading filed with U.S. Customs) is public, and ImportYeti republishes it in a navigable form, but the site is fronted by Cloudflare bot protection and structured for human browsing, not bulk analysis.

The goal: produce a clean, deduplicated, analyst-ready list of likely tariff-exposed importers, scored by how confident the system is that each company actually imports physical goods from a high-tariff country — without bypassing CAPTCHAs, ignoring robots.txt, or burning through proxy infrastructure.

The Solution

ThinkGenius built a six-stage Python pipeline — discover → fetch → parse → enrich → score → export — where every stage writes its results to a shared SQLite database before the next stage reads them. Each stage is independently runnable, idempotent, and resumable. The fetcher routes every request through a Kameleo anti-detect browser profile attached to Playwright, with a rotating pool of mobile or static dedicated proxies, and rotates only on observed blocks rather than proactively. The scorer assigns each candidate a 0–5 confidence score based on direct evidence of China shipments, supplier diversity, product-token relevance, and address verification. Anything scoring ≥ 4 is exported.

Surviving Cloudflare Without Bypassing It

ImportYeti is fronted by Cloudflare's bot protection. A plain Python HTTP client receives a 403 "Just a moment…" challenge every time. Rather than reach for CAPTCHA solvers or fingerprint-spoofing tooling, the fetcher detects the challenge, aborts cleanly, and logs the block — and the supported path forward is browser-based: Kameleo profiles attached to Playwright, presenting a real fingerprint Cloudflare treats as a normal user, routed through proxies that aren't on the project author's residential IP.

Two proxy pools are supported: rotating mobile carrier IPs (each with a rotate_url for forced refresh) and ~580 static dedicated Webshare datacenter IPs (no rotation URL, so they're put on a 24-hour cooldown after exhaustion). The scaling recipe currently uses the static pool — the larger pool absorbs blocks more gracefully, and Cloudflare doesn't appear to penalize Webshare IPs more than mobile when the browser fingerprint is convincing.

Parallel Workers on a Single SQLite Database

The fetch stage is the slowest by far — browser startup, network latency, Cloudflare patience time. To keep wall-clock time reasonable, run-parallel shards the pending URL queue across N worker processes, each with its own Kameleo profile and its own non-overlapping slice of the proxy pool (assigned via the IMPORTYETI_PROXY_IDS env var, partitioned round-robin so workers never compete for the same outbound IP).

All workers write to the same SQLite database in WAL mode with a 10-second busy timeout. Six workers is the empirical sweet spot — eight pushed SQLite into occasional database is locked retries. Worker fetch loops only insert page records; relationship building and scoring happen in single-process enrich/score stages where contention is zero.

Confidence Scoring

The scorer is deliberately conservative — better to under-export than ship false positives to a tariff analyst. The rubric:

• +2 — at least one supplier in China (or another high-tariff country)
• +1 — more than 5 distinct foreign suppliers
• +1 — at least one recent BOL description containing physical-goods keywords
• +1 — address present and parseable to a real U.S. state
• +1 — country breakdown shows ≥ 25% of suppliers in tariff-affected regions

Score ≥ 4 → written to final_companies and exported. Score < 4 → kept in the candidate table for inspection but never reaches the deliverable. Threshold is configurable via min_score_to_export.

What the Pipeline Deliberately Doesn't Do

Every "don't" is a conscious tradeoff against scope creep, fragility, or ethical risk:

• No CAPTCHA solvers. If Kameleo + a real fingerprint can't get through, the run aborts cleanly.
• No proactive proxy rotation. Burns IPs for no reason. Rotate only on observed blocks.
• No headless mode. Cloudflare's bot signal weights headless flags heavily. Kameleo runs headed; windows just sit minimized.
• No retry storms. Exactly one retry per blocked page on a fresh proxy. After that, the URL is marked error and the pipeline moves on.
• No disallowed paths. /api/*, /cdn-cgi/, /mx/, /us-export/, /partnerships/ are hard-blocked. /search?q is disallowed by robots.txt and is opt-in only.
• No PII enrichment. Publicly listed business addresses and shipment metadata only. No people, no executives, no email harvesting.
• No multi-table writes from worker fetch loops. Workers only insert page records; everything relational happens in single-process stages where SQLite contention is zero.

Output Schema

Each exported row carries the fields a tariff analyst actually needs to triage the candidate:

company_name, normalized_company_name, website, industry_or_product_type, product_description, source_country, supplier_name, import_indicator, confidence_score, confidence_reasoning, importyeti_url, source_keyword, date_scraped, notes, company_city, company_state, company_address, phone, email, contact_page_url

Three deliverables are produced from the same underlying data: importyeti_tariff_sample.csv (rebuilt from the DB on every export), importyeti_tariff_sample.xlsx (same content, Excel-formatted), and importyeti_tariff_sample.jsonl (append-only stream, one record per scored company, written live).

Responsible-Use Posture

The pipeline ships with a descriptive USER_AGENT that names the project and provides contact info, a default 5–7 second delay between requests (with jitter), persistent caching so re-runs don't re-burn the source, and an explicit allow/deny list against ImportYeti's robots.txt. It walks tag pages and individual company/supplier profiles only — no account creation, no credential reuse, no CAPTCHA solving, no calls to disallowed API paths. For sustained high-volume work, the recommended path is ImportYeti's official paid API or a licensed trade-data provider (Panjiva, Descartes Datamyne, S&P Global). The proof-of-concept exists to prove the modeling approach, not to scrape forever.

The Stack

• Python 3
• Playwright
• Kameleo (anti-detect browser)
• BeautifulSoup
• SQLite (WAL mode)
• Webshare static datacenter proxies
• Mobile rotating proxies (iproxy)
• Multi-process worker pool
• CSV / XLSX / JSONL exporters
• Click-style CLI subcommands
• Structured logging
• Disk-based gzipped HTML cache

Why It Matters

Most "scraping" projects fail not because the parser was wrong, but because the system around the parser couldn't handle real conditions: blocks, rate limits, parser drift, mid-run crashes, partial output, and proxy waste. This pipeline is built around those failure modes from the start — every stage is independent, every fetch is cached, every block is recoverable, every run is resumable, and the deliverable updates live so the operator can watch quality emerge instead of waiting hours to find out something went wrong. That's the difference between a one-shot scraper and a system you can put on a schedule.