@alpic-ai/api 0.0.0-staging.ffd67d5 → 0.0.0-staging.g02867f5

package/dist/index.mjs

@@ -1,72 +1,185 @@
+import { z } from "zod";
+import * as z$1 from "zod/v4";
 import { oc } from "@orpc/contract";
 import ms from "ms";
-import { z } from "zod";
-//#region src/schemas.ts
-const RESERVED_KEYS = [
-	"_HANDLER",
-	"_X_AMZN_TRACE_ID",
-	"AWS_DEFAULT_REGION",
-	"AWS_REGION",
-	"AWS_EXECUTION_ENV",
-	"AWS_LAMBDA_FUNCTION_NAME",
-	"AWS_LAMBDA_FUNCTION_MEMORY_SIZE",
-	"AWS_LAMBDA_FUNCTION_VERSION",
-	"AWS_LAMBDA_INITIALIZATION_TYPE",
-	"AWS_LAMBDA_LOG_GROUP_NAME",
-	"AWS_LAMBDA_LOG_STREAM_NAME",
-	"AWS_ACCESS_KEY",
-	"AWS_ACCESS_KEY_ID",
-	"AWS_SECRET_ACCESS_KEY",
-	"AWS_SESSION_TOKEN",
-	"AWS_LAMBDA_RUNTIME_API",
-	"LAMBDA_TASK_ROOT",
-	"LAMBDA_RUNTIME_DIR",
-	"START_COMMAND",
-	"ENVIRONMENT_ID",
-	"PROJECT_BUILD_IMAGES_REPOSITORY_URI",
-	"ENVIRONMENT_LAMBDA_FUNCTION_ARN",
-	"SOURCE_REPOSITORY",
-	"SOURCE_BRANCH",
-	"SOURCE_REPOSITORY_CREDENTIALS",
-	"RUNTIME",
-	"ROOT_DIRECTORY",
-	"BUILD_ARG_INSTALL_COMMAND",
-	"BUILD_ARG_BUILD_COMMAND",
-	"BUILD_ARG_BUILD_OUTPUT_DIR",
-	"BUILD_ARG_START_COMMAND",
-	"ALPIC_HOST",
-	"ALPIC_CUSTOM_DOMAINS"
-];
-const environmentVariableSchema = z.object({
-	key: z.string().min(2, "Key must be at least 2 characters").regex(/^[a-zA-Z]([a-zA-Z0-9_])+$/, "Key must start with a letter and contain only letters, numbers, and underscores").refine((key) => !RESERVED_KEYS.includes(key), "This key is reserved and cannot be used as an environment variable key"),
-	value: z.string().min(1, "Value is required"),
-	isSecret: z.boolean().default(false)
+//#region ../../node_modules/.pnpm/@modelcontextprotocol+sdk@1.29.0_zod@4.4.3/node_modules/@modelcontextprotocol/sdk/dist/esm/shared/auth.js
+/**
+* Reusable URL validation that disallows javascript: scheme
+*/
+const SafeUrlSchema = z$1.url().superRefine((val, ctx) => {
+	if (!URL.canParse(val)) {
+		ctx.addIssue({
+			code: z$1.ZodIssueCode.custom,
+			message: "URL must be parseable",
+			fatal: true
+		});
+		return z$1.NEVER;
+	}
+}).refine((url) => {
+	const u = new URL(url);
+	return u.protocol !== "javascript:" && u.protocol !== "data:" && u.protocol !== "vbscript:";
+}, { message: "URL cannot use javascript:, data:, or vbscript: scheme" });
+/**
+* RFC 9728 OAuth Protected Resource Metadata
+*/
+const OAuthProtectedResourceMetadataSchema = z$1.looseObject({
+	resource: z$1.string().url(),
+	authorization_servers: z$1.array(SafeUrlSchema).optional(),
+	jwks_uri: z$1.string().url().optional(),
+	scopes_supported: z$1.array(z$1.string()).optional(),
+	bearer_methods_supported: z$1.array(z$1.string()).optional(),
+	resource_signing_alg_values_supported: z$1.array(z$1.string()).optional(),
+	resource_name: z$1.string().optional(),
+	resource_documentation: z$1.string().optional(),
+	resource_policy_uri: z$1.string().url().optional(),
+	resource_tos_uri: z$1.string().url().optional(),
+	tls_client_certificate_bound_access_tokens: z$1.boolean().optional(),
+	authorization_details_types_supported: z$1.array(z$1.string()).optional(),
+	dpop_signing_alg_values_supported: z$1.array(z$1.string()).optional(),
+	dpop_bound_access_tokens_required: z$1.boolean().optional()
 });
-const environmentVariablesSchema = z.array(environmentVariableSchema);
-const buildSettingsSchema = z.object({
-	installCommand: z.string().optional(),
-	buildCommand: z.string().optional(),
-	buildOutputDir: z.string().optional(),
-	startCommand: z.string().optional()
+/**
+* RFC 8414 OAuth 2.0 Authorization Server Metadata
+*/
+const OAuthMetadataSchema = z$1.looseObject({
+	issuer: z$1.string(),
+	authorization_endpoint: SafeUrlSchema,
+	token_endpoint: SafeUrlSchema,
+	registration_endpoint: SafeUrlSchema.optional(),
+	scopes_supported: z$1.array(z$1.string()).optional(),
+	response_types_supported: z$1.array(z$1.string()),
+	response_modes_supported: z$1.array(z$1.string()).optional(),
+	grant_types_supported: z$1.array(z$1.string()).optional(),
+	token_endpoint_auth_methods_supported: z$1.array(z$1.string()).optional(),
+	token_endpoint_auth_signing_alg_values_supported: z$1.array(z$1.string()).optional(),
+	service_documentation: SafeUrlSchema.optional(),
+	revocation_endpoint: SafeUrlSchema.optional(),
+	revocation_endpoint_auth_methods_supported: z$1.array(z$1.string()).optional(),
+	revocation_endpoint_auth_signing_alg_values_supported: z$1.array(z$1.string()).optional(),
+	introspection_endpoint: z$1.string().optional(),
+	introspection_endpoint_auth_methods_supported: z$1.array(z$1.string()).optional(),
+	introspection_endpoint_auth_signing_alg_values_supported: z$1.array(z$1.string()).optional(),
+	code_challenge_methods_supported: z$1.array(z$1.string()).optional(),
+	client_id_metadata_document_supported: z$1.boolean().optional()
 });
-const runtimeSchema = z.enum([
-	"python3.13",
-	"python3.14",
-	"node22",
-	"node24"
-]);
-const transportSchema = z.enum([
-	"stdio",
-	"sse",
-	"streamablehttp"
-]);
-const analysisStatusSchema = z.enum([
+/**
+* OpenID Connect Discovery 1.0 Provider Metadata
+* see: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
+*/
+const OpenIdProviderMetadataSchema = z$1.looseObject({
+	issuer: z$1.string(),
+	authorization_endpoint: SafeUrlSchema,
+	token_endpoint: SafeUrlSchema,
+	userinfo_endpoint: SafeUrlSchema.optional(),
+	jwks_uri: SafeUrlSchema,
+	registration_endpoint: SafeUrlSchema.optional(),
+	scopes_supported: z$1.array(z$1.string()).optional(),
+	response_types_supported: z$1.array(z$1.string()),
+	response_modes_supported: z$1.array(z$1.string()).optional(),
+	grant_types_supported: z$1.array(z$1.string()).optional(),
+	acr_values_supported: z$1.array(z$1.string()).optional(),
+	subject_types_supported: z$1.array(z$1.string()),
+	id_token_signing_alg_values_supported: z$1.array(z$1.string()),
+	id_token_encryption_alg_values_supported: z$1.array(z$1.string()).optional(),
+	id_token_encryption_enc_values_supported: z$1.array(z$1.string()).optional(),
+	userinfo_signing_alg_values_supported: z$1.array(z$1.string()).optional(),
+	userinfo_encryption_alg_values_supported: z$1.array(z$1.string()).optional(),
+	userinfo_encryption_enc_values_supported: z$1.array(z$1.string()).optional(),
+	request_object_signing_alg_values_supported: z$1.array(z$1.string()).optional(),
+	request_object_encryption_alg_values_supported: z$1.array(z$1.string()).optional(),
+	request_object_encryption_enc_values_supported: z$1.array(z$1.string()).optional(),
+	token_endpoint_auth_methods_supported: z$1.array(z$1.string()).optional(),
+	token_endpoint_auth_signing_alg_values_supported: z$1.array(z$1.string()).optional(),
+	display_values_supported: z$1.array(z$1.string()).optional(),
+	claim_types_supported: z$1.array(z$1.string()).optional(),
+	claims_supported: z$1.array(z$1.string()).optional(),
+	service_documentation: z$1.string().optional(),
+	claims_locales_supported: z$1.array(z$1.string()).optional(),
+	ui_locales_supported: z$1.array(z$1.string()).optional(),
+	claims_parameter_supported: z$1.boolean().optional(),
+	request_parameter_supported: z$1.boolean().optional(),
+	request_uri_parameter_supported: z$1.boolean().optional(),
+	require_request_uri_registration: z$1.boolean().optional(),
+	op_policy_uri: SafeUrlSchema.optional(),
+	op_tos_uri: SafeUrlSchema.optional(),
+	client_id_metadata_document_supported: z$1.boolean().optional()
+});
+/**
+* OpenID Connect Discovery metadata that may include OAuth 2.0 fields
+* This schema represents the real-world scenario where OIDC providers
+* return a mix of OpenID Connect and OAuth 2.0 metadata fields
+*/
+const OpenIdProviderDiscoveryMetadataSchema = z$1.object({
+	...OpenIdProviderMetadataSchema.shape,
+	...OAuthMetadataSchema.pick({ code_challenge_methods_supported: true }).shape
+});
+z$1.object({
+	access_token: z$1.string(),
+	id_token: z$1.string().optional(),
+	token_type: z$1.string(),
+	expires_in: z$1.coerce.number().optional(),
+	scope: z$1.string().optional(),
+	refresh_token: z$1.string().optional()
+}).strip();
+z$1.object({
+	error: z$1.string(),
+	error_description: z$1.string().optional(),
+	error_uri: z$1.string().optional()
+});
+/**
+* Optional version of SafeUrlSchema that allows empty string for retrocompatibility on tos_uri and logo_uri
+*/
+const OptionalSafeUrlSchema = SafeUrlSchema.optional().or(z$1.literal("").transform(() => void 0));
+/**
+* RFC 7591 OAuth 2.0 Dynamic Client Registration metadata
+*/
+const OAuthClientMetadataSchema = z$1.object({
+	redirect_uris: z$1.array(SafeUrlSchema),
+	token_endpoint_auth_method: z$1.string().optional(),
+	grant_types: z$1.array(z$1.string()).optional(),
+	response_types: z$1.array(z$1.string()).optional(),
+	client_name: z$1.string().optional(),
+	client_uri: SafeUrlSchema.optional(),
+	logo_uri: OptionalSafeUrlSchema,
+	scope: z$1.string().optional(),
+	contacts: z$1.array(z$1.string()).optional(),
+	tos_uri: OptionalSafeUrlSchema,
+	policy_uri: z$1.string().optional(),
+	jwks_uri: SafeUrlSchema.optional(),
+	jwks: z$1.any().optional(),
+	software_id: z$1.string().optional(),
+	software_version: z$1.string().optional(),
+	software_statement: z$1.string().optional()
+}).strip();
+/**
+* RFC 7591 OAuth 2.0 Dynamic Client Registration client information
+*/
+const OAuthClientInformationSchema = z$1.object({
+	client_id: z$1.string(),
+	client_secret: z$1.string().optional(),
+	client_id_issued_at: z$1.number().optional(),
+	client_secret_expires_at: z$1.number().optional()
+}).strip();
+OAuthClientMetadataSchema.merge(OAuthClientInformationSchema);
+z$1.object({
+	error: z$1.string(),
+	error_description: z$1.string().optional()
+}).strip();
+z$1.object({
+	token: z$1.string(),
+	token_type_hint: z$1.string().optional()
+}).strip();
+const platformSchema = z.enum(["chatgpt", "claudeai"]);
+const PLATFORM_LABELS = {
+	chatgpt: "ChatGPT",
+	claudeai: "Claude.ai"
+};
+const auditStatusSchema = z.enum([
 	"pending",
 	"partial",
 	"completed",
 	"failed"
 ]);
-const platformSchema = z.enum(["chatgpt", "claudeai"]);
 const checkSeveritySchema = z.enum([
 	"error",
 	"warning",
@@ -86,6 +199,8 @@ const checkDetailSchema = z.object({
 });
 const checkResultSchema = z.object({
 	checkId: z.string(),
+	checkName: z.string(),
+	description: z.string(),
 	status: z.enum([
 		"pass",
 		"fail",
@@ -117,12 +232,1032 @@ const auditReportSchema = z.object({
 	widgetScreenshotKeys: z.object({
 		chatgpt: z.string().optional(),
 		claudeai: z.string().optional()
-	}).optional(),
-	widgetScreenshots: z.object({
-		chatgpt: z.object({ url: z.string() }).optional(),
-		claudeai: z.object({ url: z.string() }).optional()
+	})
+});
+const widgetScreenshotSchema = z.object({ url: z.string() });
+const auditReportWithScreenshotsSchema = auditReportSchema.extend({ widgetScreenshots: z.object({
+	chatgpt: widgetScreenshotSchema.optional(),
+	claudeai: widgetScreenshotSchema.optional()
+}) });
+z.object({
+	id: z.string(),
+	environmentId: z.string(),
+	clientId: z.string(),
+	clientSecret: z.string(),
+	clientScopes: z.array(z.string())
+});
+const deploymentStatusSchema$1 = z.enum([
+	"ongoing",
+	"deployed",
+	"failed",
+	"canceled"
+]);
+z.object({
+	timestamp: z.coerce.date().optional(),
+	content: z.string().optional()
+});
+const deploymentSummarySchema = z.object({
+	id: z.string(),
+	status: deploymentStatusSchema$1,
+	sourceBucket: z.string().nullable(),
+	sourceObjectKey: z.string().nullable(),
+	sourceRef: z.string().nullable(),
+	sourceCommitId: z.string().nullable(),
+	sourceCommitMessage: z.string().nullable(),
+	environmentId: z.string(),
+	authorUsername: z.string().nullable(),
+	authorAvatarUrl: z.string().nullable(),
+	startedAt: z.coerce.date().nullable(),
+	completedAt: z.coerce.date().nullable(),
+	isCurrent: z.boolean().optional(),
+	createdAt: z.coerce.date(),
+	updatedAt: z.coerce.date()
+});
+/**
+* Public environment
+*
+* No OAuth metadata exposed.
+*/
+const publicEnvironmentSchema = z.object({
+	isPublic: z.literal(true),
+	oAuthMetadata: z.undefined().optional()
+});
+/**
+* Protected environment with an external resource metadata URL
+*
+* An external resource metadata URL is returned in the WWW-Authenticate header during the first 401 response.
+* Everything that follows is handled outside of the MCP server scope.
+*/
+const externalResourceMetadataEnvironmentSchema = z.object({
+	isPublic: z.literal(false),
+	oAuthMetadata: z.object({ externalResourceMetadataUrl: z.url() }),
+	scope: z.string().optional()
+});
+/**
+* Protected environment with an external authorization server URL
+*
+* The server itself exposes the /.well-known/oauth-protected-resource endpoint.
+* An external authorization server URL is returned when requesting the endpoint.
+* Everything that follows is handled outside of the MCP server scope.
+*/
+const externalAuthorizationServerEnvironmentSchema = z.object({
+	isPublic: z.literal(false),
+	oAuthMetadata: z.object({
+		externalAuthorizationServerUrl: z.url(),
+		resourceMetadata: OAuthProtectedResourceMetadataSchema.optional()
+	}),
+	scope: z.string().optional()
+});
+/**
+* Standalone protected environment
+*
+* The server itself exposes the /.well-known/oauth-protected-resource endpoint.
+* The server itself exposes the /.well-known/oauth-authorization-server endpoint.
+*/
+const standaloneEnvironmentSchema = z.object({
+	isPublic: z.literal(false),
+	oAuthMetadata: z.object({
+		authorizationServerMetadata: z.union([OAuthMetadataSchema, OpenIdProviderDiscoveryMetadataSchema]),
+		resourceMetadata: OAuthProtectedResourceMetadataSchema.optional()
+	}),
+	scope: z.string().optional()
+});
+/**
+* Protected environment without OAuth discovery
+*
+* The server enforces authentication but exposes no OAuth discovery metadata.
+* Neither /.well-known/oauth-protected-resource nor /.well-known/oauth-authorization-server
+* are advertised. Clients must obtain credentials out-of-band.
+*/
+const protectedWithoutDiscoveryEnvironmentSchema = z.object({
+	isPublic: z.literal(false),
+	oAuthMetadata: z.strictObject({}),
+	scope: z.string().optional()
+});
+z.union([
+	publicEnvironmentSchema,
+	externalResourceMetadataEnvironmentSchema,
+	externalAuthorizationServerEnvironmentSchema,
+	standaloneEnvironmentSchema,
+	protectedWithoutDiscoveryEnvironmentSchema
+]);
+const allowedPlatformSchema = platformSchema;
+const environmentDomainSchema = z.object({
+	domain: z.string(),
+	status: z.enum([
+		"ongoing",
+		"deployed",
+		"failed"
+	]),
+	createdAt: z.coerce.date(),
+	updatedAt: z.coerce.date()
+});
+const environmentSchema$1 = z.object({
+	id: z.string(),
+	name: z.string(),
+	sourceBranch: z.string().nullable(),
+	mcpServerUrl: z.string(),
+	activeDeployment: deploymentSummarySchema.optional(),
+	latestDeployment: deploymentSummarySchema.optional(),
+	openaiAppsChallenge: z.string().nullable().optional(),
+	isPlaygroundEnabled: z.boolean(),
+	isIpWhitelistEnabled: z.boolean(),
+	ipAllowlist: z.array(z.string()).nullable(),
+	allowedPlatforms: z.array(allowedPlatformSchema),
+	projectId: z.string(),
+	createdAt: z.coerce.date(),
+	updatedAt: z.coerce.date()
+});
+const environmentWithDomainsSchema = environmentSchema$1.extend({ domains: z.array(environmentDomainSchema) });
+z.object({
+	id: z.string(),
+	createdAt: z.coerce.date(),
+	environmentId: z.string(),
+	content: z.string(),
+	source: z.enum(["model", "user"])
+});
+z.object({
+	content: z.string(),
+	source: z.enum(["model", "user"])
+});
+const intentCategoryColorSchema = z.enum([
+	"red",
+	"orange",
+	"yellow",
+	"green",
+	"blue",
+	"purple",
+	"pink",
+	"gray"
+]);
+intentCategoryColorSchema.options;
+const intentCategorySchema = z.object({
+	id: z.string(),
+	createdAt: z.coerce.date(),
+	environmentId: z.string(),
+	name: z.string(),
+	color: intentCategoryColorSchema
+});
+z.object({
+	id: z.string(),
+	name: z.string(),
+	color: intentCategoryColorSchema,
+	intentCount: z.number().int().nonnegative()
+});
+z.object({
+	id: z.string(),
+	createdAt: z.coerce.date(),
+	environmentId: z.string(),
+	toolName: z.string(),
+	message: z.string(),
+	categories: z.array(intentCategorySchema)
+});
+const signalCategorySchema = z.object({
+	id: z.string(),
+	name: z.string(),
+	color: intentCategoryColorSchema
+});
+z.discriminatedUnion("kind", [
+	z.object({
+		kind: z.literal("new"),
+		category: signalCategorySchema,
+		currentCount: z.number().int().nonnegative(),
+		currentShare: z.number()
+	}),
+	z.object({
+		kind: z.literal("resurging"),
+		category: signalCategorySchema,
+		currentCount: z.number().int().nonnegative(),
+		daysQuiet: z.number(),
+		currentShare: z.number()
+	}),
+	z.object({
+		kind: z.literal("spike"),
+		category: signalCategorySchema,
+		currentCount: z.number().int().nonnegative(),
+		previousCount: z.number().int().nonnegative(),
+		currentShare: z.number(),
+		previousShare: z.number(),
+		changeRatio: z.number()
+	}),
+	z.object({
+		kind: z.literal("declining"),
+		category: signalCategorySchema,
+		currentCount: z.number().int().nonnegative(),
+		previousCount: z.number().int().nonnegative(),
+		currentShare: z.number(),
+		previousShare: z.number(),
+		changeRatio: z.number()
+	})
+]);
+z.discriminatedUnion("kind", [z.object({
+	kind: z.literal("existing"),
+	categoryId: z.string(),
+	categoryName: z.string(),
+	intentIds: z.array(z.string())
+}), z.object({
+	kind: z.literal("new"),
+	categoryName: z.string(),
+	intentIds: z.array(z.string())
+})]);
+z.object({
+	id: z.string(),
+	teamId: z.string(),
+	email: z.string(),
+	expiresAt: z.coerce.date(),
+	createdAt: z.coerce.date(),
+	updatedAt: z.coerce.date()
+});
+z.enum([
+	"INFO",
+	"WARNING",
+	"DEBUG",
+	"ERROR"
+]);
+const runtimeSchema = z.enum([
+	"python3.13",
+	"python3.14",
+	"node22",
+	"node24"
+]);
+const transportSchema = z.enum([
+	"stdio",
+	"sse",
+	"streamablehttp"
+]);
+z.object({
+	id: z.string(),
+	name: z.string(),
+	teamId: z.string(),
+	sourceRepository: z.string().nullable(),
+	createdAt: z.coerce.date().optional(),
+	runtime: runtimeSchema,
+	transport: transportSchema.nullable(),
+	rootDirectory: z.string().nullable(),
+	installCommand: z.string().nullable(),
+	buildCommand: z.string().nullable(),
+	buildOutputDir: z.string().nullable(),
+	startCommand: z.string().nullable(),
+	fixedOutboundIp: z.boolean(),
+	environments: z.array(environmentWithDomainsSchema),
+	productionEnvironment: environmentWithDomainsSchema.nullable()
+});
+z.object({
+	domain: z.string(),
+	createdAt: z.coerce.date(),
+	status: z.enum([
+		"ongoing",
+		"deployed",
+		"failed"
+	]),
+	environment: environmentSchema$1
+});
+const serverFieldsSchema$1 = z.object({
+	$schema: z.string(),
+	name: z.string(),
+	description: z.string(),
+	version: z.string().optional(),
+	title: z.string().optional(),
+	websiteUrl: z.string().optional(),
+	icons: z.array(z.object({
+		src: z.string(),
+		mimeType: z.string().optional(),
+		sizes: z.array(z.string()).optional()
+	})).optional(),
+	remotes: z.array(z.object({
+		type: z.string(),
+		url: z.string().optional(),
+		headers: z.array(z.object({
+			name: z.string(),
+			description: z.string(),
+			isRequired: z.boolean().optional(),
+			isSecret: z.boolean().optional()
+		})).optional()
+	})).optional()
+}).catchall(z.unknown());
+z.object({
+	serverFields: serverFieldsSchema$1,
+	source: z.enum(["registry", "defaults"])
+});
+/**
+* Returns a variant of a `maxLength`-constrained string that clamps (truncates) instead of
+* rejecting on overflow — used for AI-generated copy where the model routinely overshoots.
+*
+* NOTE: this rebuilds the schema from scratch, carrying over only `maxLength` (as a clamp),
+* `minLength`, and the description. Any other validators on the source field (`.regex()`,
+* `.email()`, custom refinements) are intentionally dropped — this helper is meant for plain
+* free-text length caps only. A field with `null` `maxLength` is returned unchanged.
+*/
+const clampStringField = (field) => {
+	const max = field.maxLength;
+	if (max === null) return field;
+	const clamped = z.string().overwrite((value) => value.slice(0, max)).max(max);
+	const withMin = field.minLength === null ? clamped : clamped.min(field.minLength);
+	return field.description ? withMin.describe(field.description) : withMin;
+};
+const toolDefinitionSchema = z.object({
+	name: z.string(),
+	title: z.string().optional().describe("Human-friendly name for the tool, used in the UI. If not provided, `name` will be used."),
+	description: z.string().optional(),
+	annotations: z.object({
+		readOnlyHint: z.boolean().optional(),
+		destructiveHint: z.boolean().optional(),
+		openWorldHint: z.boolean().optional(),
+		idempotentHint: z.boolean().optional()
 	}).optional()
 });
+const positiveTestCaseSchema = z.object({
+	scenario: z.string().describe("Short label for what this case demonstrates."),
+	userPrompt: z.string().describe("A realistic, standalone user message a reviewer can paste and run with no prior state or multi-turn setup. Vary phrasing and tone across cases."),
+	toolTriggered: z.string().optional().describe("The tool this prompt should invoke."),
+	expectedOutput: z.string().optional().describe("What the user should see, including post-interaction behaviour where relevant.")
+}).partial().describe("Each case: Scenario, User prompt, Tool triggered, Expected output.");
+const screenshotEntrySchema = z.object({
+	prompt: z.string(),
+	url: z.url().or(z.literal(""))
+}).describe("Each screenshot: the user prompt that produced it + the image URL.");
+/** Accepts either a valid email or URL. */
+const supportChannelSchema = z.string().refine((value) => z.email().safeParse(value).success || z.url().safeParse(value).success, { error: "Must be a valid email or URL" });
+const chatgptCategorySchema = z.enum([
+	"BUSINESS",
+	"COLLABORATION",
+	"DESIGN",
+	"DEVELOPER_TOOLS",
+	"EDUCATION",
+	"ENTERTAINMENT",
+	"FINANCE",
+	"FOOD",
+	"LIFESTYLE",
+	"NEWS",
+	"PRODUCTIVITY",
+	"SHOPPING",
+	"TRAVEL"
+]);
+const chatgptAuthenticationSchema = z.enum(["No auth needed", "OAuth 2.0"]);
+const chatgptCountryCodeSchema = z.enum([
+	"AD",
+	"AE",
+	"AF",
+	"AG",
+	"AL",
+	"AM",
+	"AO",
+	"AR",
+	"AT",
+	"AU",
+	"AW",
+	"AX",
+	"AZ",
+	"BA",
+	"BB",
+	"BD",
+	"BE",
+	"BF",
+	"BG",
+	"BH",
+	"BI",
+	"BJ",
+	"BL",
+	"BM",
+	"BN",
+	"BO",
+	"BR",
+	"BS",
+	"BT",
+	"BW",
+	"BZ",
+	"CA",
+	"CD",
+	"CF",
+	"CG",
+	"CH",
+	"CI",
+	"CL",
+	"CM",
+	"CO",
+	"CR",
+	"CV",
+	"CY",
+	"CZ",
+	"DE",
+	"DJ",
+	"DK",
+	"DM",
+	"DO",
+	"DZ",
+	"EC",
+	"EE",
+	"EG",
+	"ER",
+	"ES",
+	"ET",
+	"FI",
+	"FJ",
+	"FM",
+	"FO",
+	"FR",
+	"GA",
+	"GB",
+	"GD",
+	"GE",
+	"GF",
+	"GH",
+	"GL",
+	"GM",
+	"GN",
+	"GP",
+	"GQ",
+	"GR",
+	"GT",
+	"GW",
+	"GY",
+	"HN",
+	"HR",
+	"HT",
+	"HU",
+	"ID",
+	"IE",
+	"IL",
+	"IN",
+	"IQ",
+	"IS",
+	"IT",
+	"JM",
+	"JO",
+	"JP",
+	"KE",
+	"KG",
+	"KH",
+	"KI",
+	"KM",
+	"KN",
+	"KR",
+	"KW",
+	"KY",
+	"KZ",
+	"LA",
+	"LB",
+	"LC",
+	"LI",
+	"LK",
+	"LR",
+	"LS",
+	"LT",
+	"LU",
+	"LV",
+	"LY",
+	"MA",
+	"MC",
+	"MD",
+	"ME",
+	"MF",
+	"MG",
+	"MH",
+	"MK",
+	"ML",
+	"MM",
+	"MN",
+	"MQ",
+	"MR",
+	"MT",
+	"MU",
+	"MV",
+	"MW",
+	"MX",
+	"MY",
+	"MZ",
+	"NA",
+	"NC",
+	"NE",
+	"NG",
+	"NI",
+	"NL",
+	"NO",
+	"NP",
+	"NR",
+	"NZ",
+	"OM",
+	"PA",
+	"PE",
+	"PF",
+	"PG",
+	"PH",
+	"PK",
+	"PL",
+	"PM",
+	"PS",
+	"PT",
+	"PW",
+	"PY",
+	"QA",
+	"RE",
+	"RO",
+	"RS",
+	"RW",
+	"SA",
+	"SB",
+	"SC",
+	"SD",
+	"SE",
+	"SG",
+	"SH",
+	"SI",
+	"SJ",
+	"SK",
+	"SL",
+	"SM",
+	"SN",
+	"SO",
+	"SR",
+	"SS",
+	"ST",
+	"SV",
+	"SZ",
+	"TD",
+	"TF",
+	"TG",
+	"TH",
+	"TJ",
+	"TL",
+	"TM",
+	"TN",
+	"TO",
+	"TR",
+	"TT",
+	"TV",
+	"TW",
+	"TZ",
+	"UA",
+	"UG",
+	"US",
+	"UY",
+	"UZ",
+	"VA",
+	"VC",
+	"VN",
+	"VU",
+	"WF",
+	"WS",
+	"YE",
+	"YT",
+	"ZA",
+	"ZM",
+	"ZW"
+]);
+const chatgptAllowedCountriesSchema = z.discriminatedUnion("mode", [
+	z.object({ mode: z.literal("all") }),
+	z.object({
+		mode: z.literal("allow"),
+		countries: z.array(chatgptCountryCodeSchema)
+	}),
+	z.object({
+		mode: z.literal("block"),
+		countries: z.array(chatgptCountryCodeSchema)
+	})
+]);
+const chatgptTranslationLocaleSchema = z.enum([
+	"am",
+	"ar",
+	"bg-BG",
+	"bn-BD",
+	"bs-BA",
+	"ca-ES",
+	"cs-CZ",
+	"da-DK",
+	"de-DE",
+	"el-GR",
+	"es-419",
+	"es-ES",
+	"et-EE",
+	"fi-FI",
+	"fr-CA",
+	"fr-FR",
+	"gu-IN",
+	"hi-IN",
+	"hr-HR",
+	"hu-HU",
+	"hy-AM",
+	"id-ID",
+	"is-IS",
+	"it-IT",
+	"ja-JP",
+	"ka-GE",
+	"kk",
+	"kn-IN",
+	"ko-KR",
+	"lt",
+	"lv-LV",
+	"mk-MK",
+	"ml",
+	"mn",
+	"mr-IN",
+	"ms-MY",
+	"my-MM",
+	"nb-NO",
+	"nl-NL",
+	"pa",
+	"pl-PL",
+	"pt-BR",
+	"pt-PT",
+	"ro-RO",
+	"ru-RU",
+	"sk-SK",
+	"sl-SI",
+	"so-SO",
+	"sq-AL",
+	"sr-RS",
+	"sv-SE",
+	"sw-TZ",
+	"ta-IN",
+	"te-IN",
+	"th-TH",
+	"tl",
+	"tr-TR",
+	"uk-UA",
+	"ur",
+	"vi-VN",
+	"zh-CN",
+	"zh-HK",
+	"zh-TW"
+]);
+const negativeTestCaseSchema = z.object({
+	scenario: z.string(),
+	userPrompt: z.string()
+}).partial().describe("Each case: Scenario + User prompt (the app should NOT trigger).");
+const chatgptToolJustificationSchema = z.object({
+	toolName: z.string(),
+	readOnlyJustification: z.string().describe("One sentence on what the tool reads and returns."),
+	openWorldJustification: z.string().describe("One sentence on whether the tool reaches external systems beyond your own service."),
+	destructiveJustification: z.string().describe("One sentence on whether the tool changes data. For a read-only tool, state the full triad: \"No data is created, modified, or deleted.\"")
+}).describe("Per-tool justification of each MCP annotation value (one specific sentence per hint).");
+/**
+* Base copy fields, defined once and reused by both the submission form and per-locale
+* translations so the constraints (tagline ≤ 30 chars) never drift. The translation generation
+* path wraps these in {@link clampStringField} since the LLM tends to overshoot the limit.
+*/
+const chatgptTaglineSchema = z.string().max(30);
+const chatgptDescriptionSchema = z.string();
+const chatgptTranslationSchema = z.object({
+	locale: chatgptTranslationLocaleSchema,
+	tagline: chatgptTaglineSchema,
+	description: chatgptDescriptionSchema
+}).describe("Locale-scoped override for tagline + description. English (US) is the default.");
+chatgptTranslationSchema.extend({ tagline: clampStringField(chatgptTaglineSchema) });
+/**
+* Field order mirrors the ChatGPT (OpenAI) submission spreadsheet, grouped by section.
+* When adding/removing/reordering fields, keep this in sync with the sheet.
+*/
+const chatgptSubmissionFormDataSchema = z.object({
+	logoLight: z.string().describe("Logo icon for light mode. Square PNG, no borders or rounded corners (clients apply circular cropping)."),
+	logoDark: z.string().optional().describe("Optional dark-mode logo icon. Square PNG, same specs as the light icon. Leave empty if the light icon also works on dark backgrounds."),
+	appName: z.string().describe("The name users will see in ChatGPT and in the Apps Directory."),
+	tagline: chatgptTaglineSchema.describe("Plain-language phrase focused on function and user value, 30 chars max. Avoid generic superlatives like \"the best …\"."),
+	description: chatgptDescriptionSchema.describe("Clear, engaging description highlighting what the app does and why people will love it. Appears publicly on the directory page. End it by naming the product categories or intents the app does NOT cover, so ChatGPT learns when not to route to it (define exclusions by absent categories or wrong intents, never by naming other brands)."),
+	category: chatgptCategorySchema.describe("Category from the OpenAI taxonomy."),
+	developerName: z.string().describe("Developer name shown publicly on the app's directory page."),
+	companyUrl: z.url().describe("Your company's main website URL."),
+	supportChannel: supportChannelSchema.describe("Customer support URL or email address."),
+	privacyPolicyUrl: z.url().describe("URL to your privacy policy."),
+	termsOfServiceUrl: z.url().describe("URL to the app's terms of service."),
+	demoRecordingUrl: z.url().describe("URL to a video demonstrating the app, recorded via OpenAI Developer Mode. Cover all main use cases on web, iOS, and Android."),
+	appCommerceAndPurchasing: z.boolean().describe("Checkbox: 'My app links or directs users out of ChatGPT to make purchases.' Defaults to false. Verify the app does not offer digital goods."),
+	serverUrl: z.url().describe("URL of the MCP server."),
+	authentication: chatgptAuthenticationSchema.describe("OAuth 2.0 or No auth. OAuth configuration is auto-discovered from the MCP server's metadata."),
+	tools: z.array(toolDefinitionSchema).describe("List of tools exposed by the MCP server (auto-populated from the production server's manifest)."),
+	toolJustifications: z.array(chatgptToolJustificationSchema).describe("Per-tool justification of `readOnlyHint`, `openWorldHint`, and `destructiveHint` annotation values. One short, specific sentence per hint describing what the tool actually does."),
+	testCases: z.array(positiveTestCaseSchema).describe("At least 5 positive test cases. Each: Scenario, User prompt, Tool triggered, Expected output. Collectively cover the full capability across different flow stages (initial search or browse, market or locale handling, post-interaction detail, an action ChatGPT performs on the user's behalf, and a conversion or secondary tool) rather than five variations of the same first step."),
+	negativeTestCases: z.array(negativeTestCaseSchema).describe("3 negative test cases: prompts where the app should NOT trigger but the model might think it is relevant. These become production routing metadata that teaches ChatGPT when to stay silent, so pick tight near-misses: a product category the app does not carry, the right brand or domain but an intent the app does not serve, or a boundary with a sibling app."),
+	screenshots: z.array(screenshotEntrySchema).max(3).describe("In-app screenshots paired with the user prompt that produced them. Widget apps must show the widget UI; non-widget apps show the model response. Min 1, max 3 entries, all public. Images: 706px wide, 400–860px tall, PNG."),
+	translations: z.array(chatgptTranslationSchema).describe("Per-locale translation of tagline + description. English (US) is the default."),
+	allowedCountries: chatgptAllowedCountriesSchema.describe("Availability: all supported countries, or an allow-list / block-list of specific ones (ISO alpha-2)."),
+	releaseNotes: z.string().describe("Publicly displayed on the app details page.")
+});
+chatgptSubmissionFormDataSchema.pick({
+	appName: true,
+	developerName: true,
+	serverUrl: true,
+	tools: true,
+	authentication: true
+});
+chatgptSubmissionFormDataSchema.pick({
+	tagline: true,
+	description: true,
+	category: true,
+	testCases: true,
+	negativeTestCases: true,
+	toolJustifications: true
+}).extend({ tagline: clampStringField(chatgptSubmissionFormDataSchema.shape.tagline) });
+const claudeCategorySchema = z.enum([
+	"Business & Productivity",
+	"Communication",
+	"Data & Analytics",
+	"Development tools",
+	"Financial Services",
+	"Consumer Health",
+	"Health & Life Sciences",
+	"Media & Entertainment",
+	"Commerce & Shopping"
+]);
+const claudeAuthenticationSchema = z.enum([
+	"No auth needed",
+	"OAuth 2.0",
+	"Custom URL"
+]);
+const claudeMcpUrlTypeSchema = z.enum(["Universal URL", "Custom MCP URLs"]);
+z.enum(["Static OAuth Client", "Dynamic OAuth Client (DCR / CIMD)"]);
+const claudeReadWriteCapabilitiesSchema = z.enum([
+	"Read Only",
+	"Write Only",
+	"Read + Write"
+]);
+const claudeTransportSchema = z.enum(["Streamable HTTP", "SSE"]);
+const claudeTestedSurfaceSchema = z.enum([
+	"Claude.ai (web)",
+	"Claude Desktop",
+	"Claude Code",
+	"Cowork"
+]);
+const claudeThirdPartySchema = z.enum([
+	"Web access: Fetches information from the open web (e.g., web scraping, search engines, or browsing arbitrary URLs, not just connecting to a specific API)",
+	"Third-party AI model integration: Sends data to or receives data from a generative AI model other than Claude",
+	"Third-party data retrieval: Connects to external services that themselves retrieve data from other sources (e.g., workflow automation platforms or other services that aggregate or relay data from multiple third-party sources)",
+	"Third-party data modification: Can connect to external services that themselves create, update, or delete data in other sources (e.g., workflow automation platforms or other services that write to multiple third-party sources)",
+	"N/A"
+]);
+const claudeDataHandlingSchema = z.enum([
+	"Server only accesses data explicitly requested by user",
+	"No data is stored beyond session requirements",
+	"Data transmission is encrypted (HTTPS/TLS)",
+	"GDPR compliant (if applicable)"
+]);
+const claudeSponsoredContentSchema = z.enum([
+	"No, there is no sponsored content or advertisements",
+	"Yes, there are banner ads or other paid visual elements",
+	"Yes, the returned content or ranking of returned content is impacted by sponsorship or ad placement"
+]);
+/**
+* Field order mirrors the Claude (Anthropic) submission spreadsheet, grouped by section.
+* When adding/removing/reordering fields, keep this in sync with the sheet.
+*/
+const claudeSubmissionFormDataSchema = z.object({
+	companyName: z.string().describe("Enter your company's legal name or the name under which your product is publicly known. This is used for internal tracking and may appear in directory listings."),
+	companyUrl: z.url().describe("Your company's main website URL, e.g. https://mycompany.com. Must be a valid URL with https://. This should be the root domain of the company behind this MCP server."),
+	primaryContactName: z.string().describe("Full name of the person Anthropic should contact about this submission. This person will receive review feedback, approval notices, and any follow-up questions."),
+	primaryContactEmail: z.email().describe("Business email for the primary contact. Must be a valid email address. Anthropic uses this to communicate about your submission status, required changes, and post-listing issues. Avoid using personal email addresses."),
+	primaryContactRole: z.string().optional().describe("The job title or role of the primary contact (e.g. 'CTO', 'Developer Relations Lead', 'Founder'). Optional but helps Anthropic route questions to the right person."),
+	anthropicPointOfContact: z.string().optional().describe("If you have a direct contact at Anthropic (e.g. from a partnership or sales conversation), enter their name here. This is optional but can greatly help expedite the review process. Leave blank if you don't have one."),
+	appName: z.string().describe(`The public display name for your connector as it will appear in the Connectors Directory.
+
+Rules:
+(1) Do NOT include the words 'MCP' or 'Server' — these are auto-rejected.
+(2) Use your brand/product name, e.g. 'Notion', 'Linear', 'Slack'.
+(3) You must own or have the right to use this brand name. For example, don't call it 'Google Drive Helper' if you're not Google.`),
+	mcpUrlType: claudeMcpUrlTypeSchema.describe(`Choose how your server URL works:
+• 'Universal URL': one single URL that all users connect to (most common). Example: https://mcp.myapp.com
+• 'Custom MCP URLs': each user gets their own unique URL (e.g. based on their workspace or instance). 
+If you choose this, you'll need to provide both a signup URL and a regex pattern that matches valid server URLs for your service.`),
+	serverUrl: z.url().describe(`If 'Universal URL': enter the full https:// URL where your MCP server is hosted and reachable. Example: https://mcp.myapp.com/
+If 'Custom MCP URLs': provide (1) the signup/onboarding URL where users create an account, and (2) a regex pattern that matches all valid server URLs for your service (e.g. https://[a-z0-9-]+\\.myapp\\.com/mcp). The server must be publicly accessible without VPN or whitelisting required.`),
+	tagline: z.string().max(55).describe(`A very short, punchy description shown below your server name in the directory listing. Max 55 characters including spaces.
+Think of it as a subtitle or elevator pitch fragment. Example: 'Manage tasks and projects in Linear' or 'Search and read your Notion workspace'. Avoid generic phrases like 'The best MCP server for...'`),
+	description: z.string().describe(`A 50–100 word description of what your MCP server does. This appears in the connector's detail page inside Claude. Write it from a user perspective: what can users do with this connector? What are the key features/tools? Avoid marketing fluff. Be specific. Example: 'Connect Claude to your Linear workspace. Create and update issues, search projects, manage teams, and track engineering cycles, all from within Claude.' Anthropic reviewers check this for accuracy against your actual tools.`),
+	testCases: z.array(positiveTestCaseSchema).describe(`Provide at least 3 concrete use cases, each with an example prompt a user could type to Claude. These are critical: Anthropic reviewers literally test your server using these prompts. Good examples are specific and demonstrate real value. 
+Best format: [Use case]: [exact prompt]"
+Example for a task manager:
+1. Create a task: 'Create a task called Review Q3 report, due Friday, assigned to Alice'
+2. Search tasks: 'Show me all open bugs in the Mobile project'
+3. Update status: 'Mark the Deploy v2.1 task as done'"`),
+	connectionRequirements: z.string().describe(`Describe any prerequisites a user must have before they can connect your server. Be exhaustive. Examples of things to mention:
+• Account type required (free vs paid plan)
+• Admin permissions or specific roles needed
+• Geographic restrictions (e.g. 'US only' or 'Not available in EU')
+• If users need to provide their own server URL or instance domain
+• Any setup steps needed before connecting (e.g. 'Enable API access in your account settings')
+If there are genuinely no special requirements, write exactly: 'No special requirements.'`),
+	readWriteCapabilities: claudeReadWriteCapabilitiesSchema.describe(`Select the option that best describes what your server can do:
+
+'Read Only': your tools only fetch/retrieve data (GET operations). Claude cannot modify anything via your server.
+'Write Only': your tools only create/update/delete data (rare).
+'Read + Write': your tools can both retrieve AND modify data (most common for full-featured connectors).
+
+Note: Anthropic rejects catch-all tools that accept both safe (GET) and unsafe (POST, PUT, DELETE) HTTP methods via a parameter e.g. a single api_request(method, endpoint) tool. Each tool should have a fixed, specific purpose. `),
+	isMcpApp: z.boolean().describe(`Select 'Yes' if your MCP server renders interactive UI elements (aka widgets or views) inside the Claude conversation.
+Select 'No' if your server only returns text/data responses.
+If 'Yes', you will also be required to provide screenshots of your UI (see Promotional Images section). MCP Apps are displayed with a special badge in the directory.`),
+	thirdPartyConnectionsAndWebAccess: z.array(claudeThirdPartySchema).describe(`Multi-select all that apply to your server's behavior:
+• 'Web access' — your server fetches arbitrary URLs, scrapes websites, or makes open-ended HTTP requests to the web (not just your own API).
+• 'Third-party AI model integration' — your server calls another AI model (e.g. OpenAI, Gemini, Cohere) as part of its processing.
+• 'Third-party data retrieval' — your server retrieves data via a workflow or aggregator platform (e.g. Zapier, Make, n8n) rather than calling your own API directly.
+• 'Third-party data modification' — your server modifies data via such a platform.
+• 'N/A' — your server only calls your own first-party API and does nothing else. Select this only if none of the above apply.`),
+	dataHandling: z.array(claudeDataHandlingSchema).describe(`Multi-select all data handling practices that accurately apply to your server. You must select at least 3. Key points:
+• 'Server only accesses data explicitly requested by user' — your server doesn't silently read unrelated user data.
+• 'No data is stored beyond session requirements' — you don't log or retain conversation data after the session.
+• 'Data transmission is encrypted (HTTPS/TLS)' — all data in transit is encrypted. This should always apply for remote servers.
+• 'GDPR compliant' — if you operate in the EU or serve EU users, check this only if you are genuinely compliant. Don't check it without having proper data processing agreements and procedures in place.
+Note: These are attestations — you are legally agreeing to these practices by submitting the form.`),
+	personalDataHealthAccess: z.boolean().describe(`Select 'Yes' ONLY if your connector gives users access to their own personal health information — such as medical records, lab results, diagnoses, prescriptions, wearable health metrics (heart rate, sleep data, etc.), or mental health data.
+Select 'No' for the vast majority of business/productivity/dev tools. When in doubt, select 'No'. This field triggers additional compliance review if 'Yes'.`),
+	category: claudeCategorySchema.describe(`Select the category that best describes your connector. This determines where it appears in the directory's browse experience. Choose the most specific fit:
+• Business & Productivity — project management, CRM, HR, office tools
+• Communication — email, chat, messaging, notifications
+• Data & Analytics — dashboards, reporting, databases, BI tools
+• Development tools — code repositories, CI/CD, issue trackers, monitoring
+• Financial Services — accounting, invoicing, fintech (note: financial transaction execution is not permitted)
+• Consumer Health — fitness, wellness, personal health tracking
+• Health & Life Sciences — clinical, pharma, medical professional tools
+• Media & Entertainment — content, publishing, streaming
+• Commerce & Shopping — e-commerce, inventory, orders
+Anthropic's submission form only accepts a single category.`),
+	sponsoredContentsOrAdvertisement: claudeSponsoredContentSchema.describe(`Be honest here — advertising is not permitted in the Connectors Directory per Anthropic's policy. Select the option that accurately describes your server:
+• 'No, there is no sponsored content or advertisements' — the results your server returns are not influenced by paid placement or sponsorship. This is what almost all connectors should select.
+• 'Yes, there are banner ads or other paid visual elements' — your UI includes visual ads. NOTE: this will likely lead to rejection, as Anthropic prohibits advertising in Claude.
+• 'Yes, the returned content or ranking of returned content is impacted by sponsorship or ad placement' — paid results affect what you return. NOTE: this also likely leads to rejection.
+If your server returns organic results from a platform that has ads in its own UI (but your API results are not affected by ads), select 'No'.`),
+	authentication: claudeAuthenticationSchema.describe("How users authenticate with the server. No auth / OAuth 2.0 / Custom URL (not supported)."),
+	transportSupport: z.array(claudeTransportSchema).describe(`Select all transport protocols your server supports:
+• 'Streamable HTTP' — the modern, recommended transport. Anthropic strongly recommends implementing this. This is the future-proof option and should be your default.
+• 'SSE (Server-Sent Events)' — the older transport. SSE may be deprecated by Anthropic later in 2025/2026. If you currently only support SSE, you should plan to migrate to Streamable HTTP.
+If you support both, select both. If you're building from scratch, implement Streamable HTTP only.`),
+	serverDocumentationLink: z.url().describe(`A public URL pointing to documentation that helps users understand and use your connector. This is displayed in the Directory listing and must be publicly accessible without login. Minimum requirements for the docs page:
+• What the connector does and its key capabilities
+• How to connect/set it up (step by step)
+• What each tool does (or at least the main ones)
+• How to troubleshoot common issues
+• A support contact or channel
+Acceptable formats: a dedicated docs page, a help center article, a README on GitHub, or a blog post — as long as it's comprehensive. Note: Anthropic requires public documentation to be live by your publish date.`),
+	privacyPolicyUrl: z.url().describe(`URL to your privacy policy. This is mandatory and displayed in the directory listing. Missing or incomplete privacy policies result in immediate rejection. Your privacy policy must cover:
+• What data you collect (and how)
+• How you use the collected data
+• Where and how long you store it
+• Whether you share data with third parties (and who)
+• How users can contact you about data concerns
+The policy must be publicly accessible. If you don't have one yet, create one before submitting — there are free generators online, but make sure it accurately reflects your actual practices. If you're GDPR-compliant, your policy should reflect that.`),
+	supportChannel: supportChannelSchema.describe(`A URL or email address where users can get help with your connector. This is displayed in the Directory listing. Acceptable options:
+• Email address (e.g. support@myapp.com)
+• Link to a GitHub Issues page
+• Link to a help center or support article
+• Link to a Discord/Slack community
+• Link to your documentation's troubleshooting section
+Also uses this to notify you of security or compliance issues, so make sure it's actively monitored.`),
+	testingCredentials: z.string().describe(`Provide login credentials for a test account that Anthropic reviewers can use to verify your server works end-to-end. Critical requirements:
+• The account must have sample/demo data loaded — reviewers need to actually test your tools with real data.
+• No 2FA — reviewers can't receive SMS codes. Disable 2FA on this account.
+• If your service uses Google OAuth or another OAuth that requires email verification, use mcp-review@anthropic.com as the account email — Anthropic has access to this inbox.
+• Credentials must remain valid for at least 30 days from submission.
+• If your service requires API keys instead of a password, provide those.
+Format suggestion: Username/email: xxx | Password: xxx | Any other notes`),
+	tools: z.array(toolDefinitionSchema).describe(`A comma-separated list of all tools your MCP server exposes. Use the format: tool_name (Human-Readable Name). The tool_name is the internal identifier (snake_case, max 64 characters). The Human-Readable Name is what users see.
+Example: list_issues (List Issues), create_issue (Create Issue), update_issue (Update Issue), delete_issue (Delete Issue), search_issues (Search Issues)
+Reviewers test every single tool you list here — don't list tools that don't work. Also: do not have a single catch-all tool like api_request(method, endpoint) — Anthropic rejects these. Each action should be its own purpose-built tool.`),
+	toolTitlesAnnotationsConfirmed: z.boolean().describe(`This is a compliance confirmation — check both boxes only if you have actually implemented these in your server code:
+• 'I've specified user-friendly titles for all tools' — every tool has a 'title' annotation (a human-readable label, different from the tool name).
+• 'I've specified accurate tool annotations for all tools' — every tool has the correct annotation: readOnlyHint: true for read operations (search, get, list, fetch), OR destructiveHint: true for write operations (create, update, delete, send).
+This is the #1 reason submissions get rejected (30% of all rejections). Do not check these boxes without actually having implemented the annotations. See MCP spec for how to add them.`),
+	testedSurfaces: z.array(claudeTestedSurfaceSchema).describe(`Confirm testing is complete and your server works as intended in these surfaces. Select every surface you've verified. Claude.ai (web) and Claude Desktop are the usual targets for remote MCP servers; Claude Code and Cowork compatibility is not required. Anthropic requires at least two surfaces.`),
+	logoLight: z.string().describe(`Your connector's logo for light backgrounds. Requirements:
+• Format: SVG only
+• Aspect ratio: square (1:1)
+• Should work on a light background
+• Provide via URL (Google Drive link is fine) or upload directly
+Tip: use a simple, recognizable icon — not a full wordmark. The logo appears at small sizes in the directory grid.`),
+	logoDark: z.string().optional().describe(`Optional dark-mode variant of the connector logo. Same specs as the light variant (SVG, square 1:1) but designed to read on a dark background. Leave empty if the light logo already works on dark.`),
+	screenshots: z.array(screenshotEntrySchema).describe(`Screenshots or promotional images of your connector in action within Claude. Strongly recommended for all connectors, and required for MCP Apps (interactive UI). Guidelines:
+• 3–5 images is ideal
+• Minimum 1000px width, PNG format preferred
+• Each screenshot is paired with the user prompt that produced it
+• Crop to just the relevant part of the Claude interface (the tool response area)
+• Show your connector doing something impressive and useful — real data, real results
+• If you're an MCP App, include screenshots of your interactive UI elements
+These images appear in your directory listing and are a key factor in driving user installs.`)
+});
+claudeSubmissionFormDataSchema.pick({
+	companyName: true,
+	appName: true,
+	mcpUrlType: true,
+	serverUrl: true,
+	tools: true,
+	readWriteCapabilities: true,
+	isMcpApp: true,
+	transportSupport: true,
+	primaryContactEmail: true,
+	primaryContactName: true,
+	authentication: true,
+	personalDataHealthAccess: true,
+	testedSurfaces: true
+}).extend({
+	connectionRequirements: claudeSubmissionFormDataSchema.shape.connectionRequirements.optional(),
+	testingCredentials: claudeSubmissionFormDataSchema.shape.testingCredentials.optional()
+});
+claudeSubmissionFormDataSchema.pick({
+	tagline: true,
+	description: true,
+	category: true,
+	testCases: true
+}).extend({ tagline: clampStringField(claudeSubmissionFormDataSchema.shape.tagline) });
+const submissionMetaFieldsSchema = z.object({
+	id: z.string(),
+	environmentId: z.string(),
+	auditId: z.string().nullable(),
+	createdAt: z.coerce.date(),
+	updatedAt: z.coerce.date()
+});
+const claudeSubmissionSchemaInternal = submissionMetaFieldsSchema.extend({
+	platform: z.literal("claudeai"),
+	formData: claudeSubmissionFormDataSchema.partial()
+});
+const chatgptSubmissionSchemaInternal = submissionMetaFieldsSchema.extend({
+	platform: z.literal("chatgpt"),
+	formData: chatgptSubmissionFormDataSchema.partial()
+});
+z.discriminatedUnion("platform", [claudeSubmissionSchemaInternal, chatgptSubmissionSchemaInternal]);
+z.union([claudeSubmissionFormDataSchema.partial(), chatgptSubmissionFormDataSchema.partial()]);
+const subscriptionPlanSchema = z.enum([
+	"pro",
+	"business",
+	"enterprise"
+]);
+z.object({ plan: subscriptionPlanSchema.nullable() });
+const customerCreditsSchema = z.object({
+	balanceInCents: z.number(),
+	expiresAt: z.number().nullable(),
+	currency: z.string()
+});
+const customerUsageSchema = z.object({
+	amountInCents: z.number(),
+	currency: z.string(),
+	periodEnd: z.number()
+});
+const partnerDiscountSchema = z.object({ endsAt: z.number() });
+z.object({
+	customerCredits: customerCreditsSchema.nullable(),
+	customerUsage: customerUsageSchema.nullable(),
+	partnerDiscount: partnerDiscountSchema.nullable()
+});
+//#endregion
+//#region src/schemas.ts
+const RESERVED_KEYS = [
+	"_HANDLER",
+	"_X_AMZN_TRACE_ID",
+	"AWS_DEFAULT_REGION",
+	"AWS_REGION",
+	"AWS_EXECUTION_ENV",
+	"AWS_LAMBDA_FUNCTION_NAME",
+	"AWS_LAMBDA_FUNCTION_MEMORY_SIZE",
+	"AWS_LAMBDA_FUNCTION_VERSION",
+	"AWS_LAMBDA_INITIALIZATION_TYPE",
+	"AWS_LAMBDA_LOG_GROUP_NAME",
+	"AWS_LAMBDA_LOG_STREAM_NAME",
+	"AWS_ACCESS_KEY",
+	"AWS_ACCESS_KEY_ID",
+	"AWS_SECRET_ACCESS_KEY",
+	"AWS_SESSION_TOKEN",
+	"AWS_LAMBDA_RUNTIME_API",
+	"LAMBDA_TASK_ROOT",
+	"LAMBDA_RUNTIME_DIR",
+	"START_COMMAND",
+	"ENVIRONMENT_ID",
+	"PROJECT_BUILD_IMAGES_REPOSITORY_URI",
+	"ENVIRONMENT_LAMBDA_FUNCTION_ARN",
+	"SOURCE_REPOSITORY",
+	"SOURCE_BRANCH",
+	"SOURCE_REPOSITORY_CREDENTIALS",
+	"RUNTIME",
+	"ROOT_DIRECTORY",
+	"BUILD_ARG_INSTALL_COMMAND",
+	"BUILD_ARG_BUILD_COMMAND",
+	"BUILD_ARG_BUILD_OUTPUT_DIR",
+	"BUILD_ARG_START_COMMAND",
+	"ALPIC_HOST",
+	"ALPIC_CUSTOM_DOMAINS",
+	"ALPIC_INTENT_META_KEY"
+];
+const environmentVariableSchema = z.object({
+	key: z.string().min(2, "Key must be at least 2 characters").regex(/^[a-zA-Z]([a-zA-Z0-9_])+$/, "Key must start with a letter and contain only letters, numbers, and underscores").refine((key) => !RESERVED_KEYS.includes(key), "This key is reserved and cannot be used as an environment variable key"),
+	value: z.string().min(1, "Value is required"),
+	isSecret: z.boolean().default(false)
+});
+const environmentVariablesSchema = z.array(environmentVariableSchema);
+const updateEnvironmentVariableSchema = environmentVariableSchema.partial({
+	value: true,
+	isSecret: true
+});
+const buildSettingsSchema = z.object({
+	installCommand: z.string().optional(),
+	buildCommand: z.string().optional(),
+	buildOutputDir: z.string().optional(),
+	startCommand: z.string().optional()
+});
+const playgroundHeaderSchema = z.object({
+	name: z.string().min(1).max(100),
+	description: z.string().max(200),
+	isRequired: z.boolean().default(false),
+	isSecret: z.boolean().default(false)
+});
+const playgroundExamplePromptSchema = z.object({
+	title: z.string().min(1).max(100),
+	prompt: z.string().min(1).max(500)
+});
 const serverFieldsSchema = z.object({
 	$schema: z.string(),
 	name: z.string(),
@@ -199,7 +1334,7 @@ const createEnvironmentContractV1 = oc.route({
 	id: z.string(),
 	name: z.string(),
 	sourceBranch: z.string().nullable().describe("The branch used to build the environment"),
-	urls: z.array(z.string().url()).describe("The URLs of the MCP server"),
+	urls: z.array(z.url()).describe("The URLs of the MCP server"),
 	createdAt: z.coerce.date(),
 	projectId: z.string().describe("The ID of the project the environment belongs to")
 }));
@@ -215,7 +1350,7 @@ const getEnvironmentContractV1 = oc.route({
 	name: z.string(),
 	sourceBranch: z.string().nullable(),
 	mcpServerUrl: z.string(),
-	domains: z.array(z.url()),
+	domains: z.array(z.hostname()),
 	createdAt: z.coerce.date(),
 	projectId: z.string()
 }));
@@ -275,6 +1410,9 @@ const listProjectsContractV1 = oc.route({
 	description: "List all projects for a team",
 	tags: ["projects"],
 	successDescription: "The list of projects"
+}).errors({
+	NOT_FOUND: {},
+	BAD_REQUEST: {}
 }).input(z.object({ teamId: z.string().optional() }).optional()).output(z.array(projectOutputSchema));
 const createProjectContractV1 = oc.route({
 	path: "/v1/projects",
@@ -361,7 +1499,7 @@ const updateEnvironmentVariableContractV1 = oc.route({
 	environmentVariableId: z.string().describe("The ID of the environment variable"),
 	key: environmentVariableSchema.shape.key,
 	value: environmentVariableSchema.shape.value.optional(),
-	isSecret: environmentVariableSchema.shape.isSecret
+	isSecret: environmentVariableSchema.shape.isSecret.optional()
 })).output(z.object({ success: z.literal(true) }));
 const deleteEnvironmentVariableContractV1 = oc.route({
 	path: "/v1/environment-variables/{environmentVariableId}",
@@ -370,9 +1508,12 @@ const deleteEnvironmentVariableContractV1 = oc.route({
 	description: "Delete an environment variable by ID",
 	tags: ["environments"],
 	successDescription: "The environment variable has been deleted successfully"
-}).errors({ NOT_FOUND: {} }).input(z.object({ environmentVariableId: z.string().describe("The ID of the environment variable") })).output(z.object({ success: z.literal(true) }));
+}).errors({
+	NOT_FOUND: {},
+	BAD_REQUEST: {}
+}).input(z.object({ environmentVariableId: z.string().describe("The ID of the environment variable") })).output(z.object({ success: z.literal(true) }));
 const deleteProjectContractV1 = oc.route({
-	path: "/v1/projects/:projectId",
+	path: "/v1/projects/{projectId}",
 	method: "DELETE",
 	summary: "Delete a project",
 	description: "Delete a project and all its environments",
@@ -415,6 +1556,9 @@ const uploadDeploymentArtifactContractV1 = oc.route({
 	description: "Return a presigned S3 URL to upload a deployment artifact",
 	tags: ["deployments"],
 	successDescription: "The presigned upload URL has been generated successfully"
+}).errors({
+	NOT_FOUND: {},
+	BAD_REQUEST: {}
 }).input(z.object({ teamId: z.string().optional() }).optional()).output(z.object({
 	uploadUrl: z.url().describe("Presigned S3 URL to upload the source archive with HTTP PUT"),
 	token: z.string().describe("Token to identify the source archive"),
@@ -481,6 +1625,41 @@ const getLogsContractV1 = oc.route({
 	})),
 	nextToken: z.string().nullable()
 }));
+const getLatestLogsContractV1 = oc.route({
+	path: "/v1/environments/{environmentId}/latest-logs",
+	method: "GET",
+	summary: "Get latest logs",
+	description: "Get the N most recent logs for an environment",
+	tags: ["environments"],
+	successDescription: "The latest logs"
+}).errors({
+	NOT_FOUND: {},
+	BAD_REQUEST: {}
+}).input(z.object({
+	environmentId: z.string().describe("The ID of the environment"),
+	limit: z.coerce.number().int().min(1).max(1e3).default(100).describe("Number of most recent log entries to return"),
+	level: z.array(z.enum([
+		"INFO",
+		"ERROR",
+		"WARNING",
+		"DEBUG"
+	])).optional().describe("Filter by log level"),
+	search: z.string().optional().describe("Filter pattern to search for in log content")
+})).output(z.object({ logs: z.array(z.object({
+	timestamp: z.coerce.date(),
+	type: z.enum([
+		"START",
+		"END",
+		"INFO",
+		"ERROR",
+		"WARNING",
+		"DEBUG"
+	]),
+	requestId: z.string(),
+	content: z.string().optional(),
+	method: z.string().optional(),
+	durationInMs: z.number().optional()
+})) }));
 const getDeploymentLogsContractV1 = oc.route({
 	path: "/v1/deployments/{deploymentId}/logs",
 	method: "GET",
@@ -553,7 +1732,7 @@ const getTunnelTicketContractV1 = oc.route({
 	description: "Get a signed ticket for establishing a tunnel connection. Requires user authentication (API keys are not supported).",
 	tags: ["tunnels"],
 	successDescription: "The tunnel ticket"
-}).output(z.object({
+}).errors({ FORBIDDEN: {} }).output(z.object({
 	subdomain: z.string().describe("The subdomain assigned to the user"),
 	ticket: z.string().describe("The signed tunnel ticket"),
 	tunnelHost: z.string().describe("The tunnel host to connect to")
@@ -590,35 +1769,78 @@ const getServerInfoContractV1 = oc.route({
 	projectId: z.string(),
 	domain: z.string()
 })).output(z.object({ serverFields: serverFieldsSchema }));
+const playgroundServerMetadataOutputSchema = z.object({
+	name: z.string(),
+	description: z.string(),
+	headers: z.array(z.object({
+		name: z.string(),
+		description: z.string(),
+		isRequired: z.boolean(),
+		isSecret: z.boolean()
+	})),
+	examplePrompts: z.array(playgroundExamplePromptSchema)
+});
+const playgroundOutputSchema = z.object({
+	isPlaygroundEnabled: z.boolean(),
+	serverMetadata: playgroundServerMetadataOutputSchema.nullable()
+});
+const getPlaygroundContractV1 = oc.route({
+	path: "/v1/environments/{environmentId}/playground",
+	method: "GET",
+	summary: "Get playground configuration",
+	description: "Get the playground configuration for an environment",
+	tags: ["environments"],
+	successDescription: "The playground configuration"
+}).errors({ NOT_FOUND: {} }).input(z.object({ environmentId: z.string().describe("The ID of the environment") })).output(playgroundOutputSchema);
+const upsertPlaygroundContractV1 = oc.route({
+	path: "/v1/environments/{environmentId}/playground",
+	method: "PUT",
+	summary: "Update playground configuration",
+	description: "Update the playground configuration for an environment. All fields are optional — only provided fields are updated.",
+	tags: ["environments"],
+	successDescription: "The updated playground configuration"
+}).errors({
+	NOT_FOUND: {},
+	BAD_REQUEST: {}
+}).input(z.object({
+	environmentId: z.string().describe("The ID of the environment"),
+	isPlaygroundEnabled: z.boolean().optional(),
+	name: z.string().min(1).max(100).optional(),
+	description: z.string().min(1).max(500).optional(),
+	headers: z.array(playgroundHeaderSchema).optional(),
+	examplePrompts: z.array(playgroundExamplePromptSchema).max(5).optional()
+})).output(playgroundOutputSchema);
 const createBeaconContractV1 = oc.route({
-	path: "/v1/beacon/analyses",
+	path: "/v1/beacon/audits",
 	method: "POST",
-	summary: "Create a beacon analysis",
-	description: "Analyze an MCP server for spec compliance and AI client compatibility",
+	summary: "Create a beacon audit",
+	description: "Audit an MCP server for spec compliance and AI client compatibility",
 	tags: ["beacon"],
-	successDescription: "The analysis has been created"
+	successDescription: "The audit has been created"
 }).errors({
 	NOT_FOUND: {},
-	BAD_REQUEST: {}
+	BAD_REQUEST: {},
+	DNS_RESOLUTION_FAILED: { status: 400 }
 }).input(z.object({
-	targetUrl: z.string().url().describe("The HTTPS URL of the MCP server to analyze"),
-	teamId: z.string().optional().describe("The team ID to associate the analysis with"),
-	projectId: z.string().optional().describe("The project ID to associate the analysis with")
+	targetUrl: z.url().describe("The HTTPS URL of the MCP server to audit"),
+	teamId: z.string().optional().describe("The team ID to associate the audit with"),
+	projectId: z.string().optional().describe("The project ID to associate the audit with"),
+	excludeCategories: z.array(checkCategorySchema).optional().describe("Check categories to exclude from the audit")
 })).output(z.object({ id: z.string() }));
 const getBeaconContractV1 = oc.route({
-	path: "/v1/beacon/analyses/{analysisId}",
+	path: "/v1/beacon/audits/{auditId}",
 	method: "GET",
-	summary: "Get a beacon analysis",
-	description: "Get a beacon analysis by ID, including the report if completed",
+	summary: "Get a beacon audit",
+	description: "Get a beacon audit by ID, including the report if completed",
 	tags: ["beacon"],
-	successDescription: "The analysis details"
-}).errors({ NOT_FOUND: {} }).input(z.object({ analysisId: z.string().describe("The ID of the analysis") })).output(z.object({
+	successDescription: "The audit details"
+}).errors({ NOT_FOUND: {} }).input(z.object({ auditId: z.string().describe("The ID of the audit") })).output(z.object({
 	id: z.string(),
 	targetUrl: z.string(),
-	status: analysisStatusSchema,
+	status: auditStatusSchema,
 	durationMs: z.number().nullable(),
 	createdAt: z.coerce.date(),
-	report: auditReportSchema.nullable()
+	report: auditReportWithScreenshotsSchema.nullable()
 }));
 const contract = {
 	teams: { list: { v1: listTeamsContractV1 } },
@@ -633,7 +1855,8 @@ const contract = {
 		create: { v1: createEnvironmentContractV1 },
 		get: { v1: getEnvironmentContractV1 },
 		deploy: { v1: deployEnvironmentContractV1 },
-		getLogs: { v1: getLogsContractV1 }
+		getLogs: { v1: getLogsContractV1 },
+		getLatestLogs: { v1: getLatestLogsContractV1 }
 	},
 	environmentVariables: {
 		list: { v1: listEnvironmentVariablesContractV1 },
@@ -648,6 +1871,10 @@ const contract = {
 		create: { v1: createProjectContractV1 },
 		delete: { v1: deleteProjectContractV1 }
 	},
+	playground: {
+		get: { v1: getPlaygroundContractV1 },
+		upsert: { v1: upsertPlaygroundContractV1 }
+	},
 	tunnels: { getTicket: { v1: getTunnelTicketContractV1 } },
 	distribution: {
 		publish: { v1: publishServerContractV1 },
@@ -659,4 +1886,4 @@ const contract = {
 	}
 };
 //#endregion
-export { analysisStatusSchema, auditReportSchema, buildSettingsSchema, checkDetailSchema, checkResultSchema, contract, createEnvironmentContractV1, deploymentStatusSchema, environmentVariableSchema, environmentVariablesSchema, platformSchema, runtimeSchema, serverFieldsSchema, transportSchema };
+export { PLATFORM_LABELS, buildSettingsSchema, contract, createEnvironmentContractV1, deploymentStatusSchema, environmentVariableSchema, environmentVariablesSchema, playgroundExamplePromptSchema, playgroundHeaderSchema, runtimeSchema, serverFieldsSchema, transportSchema, updateEnvironmentVariableSchema };