@alpic-ai/api 0.0.0-staging.gc94c933 → 0.0.0-staging.gcd4957c

package/dist/index.mjs

@@ -1,6 +1,174 @@
 import { z } from "zod";
+import * as z$1 from "zod/v4";
 import { oc } from "@orpc/contract";
 import ms from "ms";
+//#region ../../node_modules/.pnpm/@modelcontextprotocol+sdk@1.29.0_@cfworker+json-schema@4.1.1_zod@4.4.3/node_modules/@modelcontextprotocol/sdk/dist/esm/shared/auth.js
+/**
+* Reusable URL validation that disallows javascript: scheme
+*/
+const SafeUrlSchema = z$1.url().superRefine((val, ctx) => {
+	if (!URL.canParse(val)) {
+		ctx.addIssue({
+			code: z$1.ZodIssueCode.custom,
+			message: "URL must be parseable",
+			fatal: true
+		});
+		return z$1.NEVER;
+	}
+}).refine((url) => {
+	const u = new URL(url);
+	return u.protocol !== "javascript:" && u.protocol !== "data:" && u.protocol !== "vbscript:";
+}, { message: "URL cannot use javascript:, data:, or vbscript: scheme" });
+/**
+* RFC 9728 OAuth Protected Resource Metadata
+*/
+const OAuthProtectedResourceMetadataSchema = z$1.looseObject({
+	resource: z$1.string().url(),
+	authorization_servers: z$1.array(SafeUrlSchema).optional(),
+	jwks_uri: z$1.string().url().optional(),
+	scopes_supported: z$1.array(z$1.string()).optional(),
+	bearer_methods_supported: z$1.array(z$1.string()).optional(),
+	resource_signing_alg_values_supported: z$1.array(z$1.string()).optional(),
+	resource_name: z$1.string().optional(),
+	resource_documentation: z$1.string().optional(),
+	resource_policy_uri: z$1.string().url().optional(),
+	resource_tos_uri: z$1.string().url().optional(),
+	tls_client_certificate_bound_access_tokens: z$1.boolean().optional(),
+	authorization_details_types_supported: z$1.array(z$1.string()).optional(),
+	dpop_signing_alg_values_supported: z$1.array(z$1.string()).optional(),
+	dpop_bound_access_tokens_required: z$1.boolean().optional()
+});
+/**
+* RFC 8414 OAuth 2.0 Authorization Server Metadata
+*/
+const OAuthMetadataSchema = z$1.looseObject({
+	issuer: z$1.string(),
+	authorization_endpoint: SafeUrlSchema,
+	token_endpoint: SafeUrlSchema,
+	registration_endpoint: SafeUrlSchema.optional(),
+	scopes_supported: z$1.array(z$1.string()).optional(),
+	response_types_supported: z$1.array(z$1.string()),
+	response_modes_supported: z$1.array(z$1.string()).optional(),
+	grant_types_supported: z$1.array(z$1.string()).optional(),
+	token_endpoint_auth_methods_supported: z$1.array(z$1.string()).optional(),
+	token_endpoint_auth_signing_alg_values_supported: z$1.array(z$1.string()).optional(),
+	service_documentation: SafeUrlSchema.optional(),
+	revocation_endpoint: SafeUrlSchema.optional(),
+	revocation_endpoint_auth_methods_supported: z$1.array(z$1.string()).optional(),
+	revocation_endpoint_auth_signing_alg_values_supported: z$1.array(z$1.string()).optional(),
+	introspection_endpoint: z$1.string().optional(),
+	introspection_endpoint_auth_methods_supported: z$1.array(z$1.string()).optional(),
+	introspection_endpoint_auth_signing_alg_values_supported: z$1.array(z$1.string()).optional(),
+	code_challenge_methods_supported: z$1.array(z$1.string()).optional(),
+	client_id_metadata_document_supported: z$1.boolean().optional()
+});
+/**
+* OpenID Connect Discovery 1.0 Provider Metadata
+* see: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
+*/
+const OpenIdProviderMetadataSchema = z$1.looseObject({
+	issuer: z$1.string(),
+	authorization_endpoint: SafeUrlSchema,
+	token_endpoint: SafeUrlSchema,
+	userinfo_endpoint: SafeUrlSchema.optional(),
+	jwks_uri: SafeUrlSchema,
+	registration_endpoint: SafeUrlSchema.optional(),
+	scopes_supported: z$1.array(z$1.string()).optional(),
+	response_types_supported: z$1.array(z$1.string()),
+	response_modes_supported: z$1.array(z$1.string()).optional(),
+	grant_types_supported: z$1.array(z$1.string()).optional(),
+	acr_values_supported: z$1.array(z$1.string()).optional(),
+	subject_types_supported: z$1.array(z$1.string()),
+	id_token_signing_alg_values_supported: z$1.array(z$1.string()),
+	id_token_encryption_alg_values_supported: z$1.array(z$1.string()).optional(),
+	id_token_encryption_enc_values_supported: z$1.array(z$1.string()).optional(),
+	userinfo_signing_alg_values_supported: z$1.array(z$1.string()).optional(),
+	userinfo_encryption_alg_values_supported: z$1.array(z$1.string()).optional(),
+	userinfo_encryption_enc_values_supported: z$1.array(z$1.string()).optional(),
+	request_object_signing_alg_values_supported: z$1.array(z$1.string()).optional(),
+	request_object_encryption_alg_values_supported: z$1.array(z$1.string()).optional(),
+	request_object_encryption_enc_values_supported: z$1.array(z$1.string()).optional(),
+	token_endpoint_auth_methods_supported: z$1.array(z$1.string()).optional(),
+	token_endpoint_auth_signing_alg_values_supported: z$1.array(z$1.string()).optional(),
+	display_values_supported: z$1.array(z$1.string()).optional(),
+	claim_types_supported: z$1.array(z$1.string()).optional(),
+	claims_supported: z$1.array(z$1.string()).optional(),
+	service_documentation: z$1.string().optional(),
+	claims_locales_supported: z$1.array(z$1.string()).optional(),
+	ui_locales_supported: z$1.array(z$1.string()).optional(),
+	claims_parameter_supported: z$1.boolean().optional(),
+	request_parameter_supported: z$1.boolean().optional(),
+	request_uri_parameter_supported: z$1.boolean().optional(),
+	require_request_uri_registration: z$1.boolean().optional(),
+	op_policy_uri: SafeUrlSchema.optional(),
+	op_tos_uri: SafeUrlSchema.optional(),
+	client_id_metadata_document_supported: z$1.boolean().optional()
+});
+/**
+* OpenID Connect Discovery metadata that may include OAuth 2.0 fields
+* This schema represents the real-world scenario where OIDC providers
+* return a mix of OpenID Connect and OAuth 2.0 metadata fields
+*/
+const OpenIdProviderDiscoveryMetadataSchema = z$1.object({
+	...OpenIdProviderMetadataSchema.shape,
+	...OAuthMetadataSchema.pick({ code_challenge_methods_supported: true }).shape
+});
+z$1.object({
+	access_token: z$1.string(),
+	id_token: z$1.string().optional(),
+	token_type: z$1.string(),
+	expires_in: z$1.coerce.number().optional(),
+	scope: z$1.string().optional(),
+	refresh_token: z$1.string().optional()
+}).strip();
+z$1.object({
+	error: z$1.string(),
+	error_description: z$1.string().optional(),
+	error_uri: z$1.string().optional()
+});
+/**
+* Optional version of SafeUrlSchema that allows empty string for retrocompatibility on tos_uri and logo_uri
+*/
+const OptionalSafeUrlSchema = SafeUrlSchema.optional().or(z$1.literal("").transform(() => void 0));
+/**
+* RFC 7591 OAuth 2.0 Dynamic Client Registration metadata
+*/
+const OAuthClientMetadataSchema = z$1.object({
+	redirect_uris: z$1.array(SafeUrlSchema),
+	token_endpoint_auth_method: z$1.string().optional(),
+	grant_types: z$1.array(z$1.string()).optional(),
+	response_types: z$1.array(z$1.string()).optional(),
+	client_name: z$1.string().optional(),
+	client_uri: SafeUrlSchema.optional(),
+	logo_uri: OptionalSafeUrlSchema,
+	scope: z$1.string().optional(),
+	contacts: z$1.array(z$1.string()).optional(),
+	tos_uri: OptionalSafeUrlSchema,
+	policy_uri: z$1.string().optional(),
+	jwks_uri: SafeUrlSchema.optional(),
+	jwks: z$1.any().optional(),
+	software_id: z$1.string().optional(),
+	software_version: z$1.string().optional(),
+	software_statement: z$1.string().optional()
+}).strip();
+/**
+* RFC 7591 OAuth 2.0 Dynamic Client Registration client information
+*/
+const OAuthClientInformationSchema = z$1.object({
+	client_id: z$1.string(),
+	client_secret: z$1.string().optional(),
+	client_id_issued_at: z$1.number().optional(),
+	client_secret_expires_at: z$1.number().optional()
+}).strip();
+OAuthClientMetadataSchema.merge(OAuthClientInformationSchema);
+z$1.object({
+	error: z$1.string(),
+	error_description: z$1.string().optional()
+}).strip();
+z$1.object({
+	token: z$1.string(),
+	token_type_hint: z$1.string().optional()
+}).strip();
 const platformSchema = z.enum(["chatgpt", "claudeai"]);
 const PLATFORM_LABELS = {
 	chatgpt: "ChatGPT",
@@ -71,7 +239,14 @@ const auditReportWithScreenshotsSchema = auditReportSchema.extend({ widgetScreen
 	chatgpt: widgetScreenshotSchema.optional(),
 	claudeai: widgetScreenshotSchema.optional()
 }) });
-z.enum([
+z.object({
+	id: z.string(),
+	environmentId: z.string(),
+	clientId: z.string(),
+	clientSecret: z.string(),
+	clientScopes: z.array(z.string())
+});
+const deploymentStatusSchema$1 = z.enum([
 	"ongoing",
 	"deployed",
 	"failed",
@@ -81,6 +256,119 @@ z.object({
 	timestamp: z.coerce.date().optional(),
 	content: z.string().optional()
 });
+const deploymentSummarySchema = z.object({
+	id: z.string(),
+	status: deploymentStatusSchema$1,
+	sourceBucket: z.string().nullable(),
+	sourceObjectKey: z.string().nullable(),
+	sourceRef: z.string().nullable(),
+	sourceCommitId: z.string().nullable(),
+	sourceCommitMessage: z.string().nullable(),
+	environmentId: z.string(),
+	authorUsername: z.string().nullable(),
+	authorAvatarUrl: z.string().nullable(),
+	startedAt: z.coerce.date().nullable(),
+	completedAt: z.coerce.date().nullable(),
+	isCurrent: z.boolean().optional(),
+	createdAt: z.coerce.date(),
+	updatedAt: z.coerce.date()
+});
+/**
+* Public environment
+*
+* No OAuth metadata exposed.
+*/
+const publicEnvironmentSchema = z.object({
+	isPublic: z.literal(true),
+	oAuthMetadata: z.undefined().optional()
+});
+/**
+* Protected environment with an external resource metadata URL
+*
+* An external resource metadata URL is returned in the WWW-Authenticate header during the first 401 response.
+* Everything that follows is handled outside of the MCP server scope.
+*/
+const externalResourceMetadataEnvironmentSchema = z.object({
+	isPublic: z.literal(false),
+	oAuthMetadata: z.object({ externalResourceMetadataUrl: z.url() }),
+	scope: z.string().optional()
+});
+/**
+* Protected environment with an external authorization server URL
+*
+* The server itself exposes the /.well-known/oauth-protected-resource endpoint.
+* An external authorization server URL is returned when requesting the endpoint.
+* Everything that follows is handled outside of the MCP server scope.
+*/
+const externalAuthorizationServerEnvironmentSchema = z.object({
+	isPublic: z.literal(false),
+	oAuthMetadata: z.object({
+		externalAuthorizationServerUrl: z.url(),
+		resourceMetadata: OAuthProtectedResourceMetadataSchema.optional()
+	}),
+	scope: z.string().optional()
+});
+/**
+* Standalone protected environment
+*
+* The server itself exposes the /.well-known/oauth-protected-resource endpoint.
+* The server itself exposes the /.well-known/oauth-authorization-server endpoint.
+*/
+const standaloneEnvironmentSchema = z.object({
+	isPublic: z.literal(false),
+	oAuthMetadata: z.object({
+		authorizationServerMetadata: z.union([OAuthMetadataSchema, OpenIdProviderDiscoveryMetadataSchema]),
+		resourceMetadata: OAuthProtectedResourceMetadataSchema.optional()
+	}),
+	scope: z.string().optional()
+});
+/**
+* Protected environment without OAuth discovery
+*
+* The server enforces authentication but exposes no OAuth discovery metadata.
+* Neither /.well-known/oauth-protected-resource nor /.well-known/oauth-authorization-server
+* are advertised. Clients must obtain credentials out-of-band.
+*/
+const protectedWithoutDiscoveryEnvironmentSchema = z.object({
+	isPublic: z.literal(false),
+	oAuthMetadata: z.strictObject({}),
+	scope: z.string().optional()
+});
+z.union([
+	publicEnvironmentSchema,
+	externalResourceMetadataEnvironmentSchema,
+	externalAuthorizationServerEnvironmentSchema,
+	standaloneEnvironmentSchema,
+	protectedWithoutDiscoveryEnvironmentSchema
+]);
+const allowedPlatformSchema = platformSchema;
+const environmentDomainSchema = z.object({
+	domain: z.string(),
+	status: z.enum([
+		"ongoing",
+		"deployed",
+		"failed"
+	]),
+	createdAt: z.coerce.date(),
+	updatedAt: z.coerce.date()
+});
+const environmentSchema$1 = z.object({
+	id: z.string(),
+	name: z.string(),
+	sourceBranch: z.string().nullable(),
+	mcpServerUrl: z.string(),
+	activeDeployment: deploymentSummarySchema.optional(),
+	latestDeployment: deploymentSummarySchema.optional(),
+	openaiAppsChallenge: z.string().nullable().optional(),
+	isPlaygroundEnabled: z.boolean(),
+	isIpWhitelistEnabled: z.boolean(),
+	ipAllowlist: z.array(z.string()).nullable(),
+	allowedPlatforms: z.array(allowedPlatformSchema),
+	projectId: z.string(),
+	createdAt: z.coerce.date(),
+	updatedAt: z.coerce.date()
+});
+const environmentWithDomainsSchema = environmentSchema$1.extend({ domains: z.array(environmentDomainSchema) });
 z.object({
 	id: z.string(),
 	createdAt: z.coerce.date(),
@@ -197,6 +485,76 @@ const transportSchema = z.enum([
 	"sse",
 	"streamablehttp"
 ]);
+z.object({
+	id: z.string(),
+	name: z.string(),
+	teamId: z.string(),
+	sourceRepository: z.string().nullable(),
+	createdAt: z.coerce.date().optional(),
+	runtime: runtimeSchema,
+	transport: transportSchema.nullable(),
+	rootDirectory: z.string().nullable(),
+	installCommand: z.string().nullable(),
+	buildCommand: z.string().nullable(),
+	buildOutputDir: z.string().nullable(),
+	startCommand: z.string().nullable(),
+	fixedOutboundIp: z.boolean(),
+	environments: z.array(environmentWithDomainsSchema),
+	productionEnvironment: environmentWithDomainsSchema.nullable()
+});
+z.object({
+	domain: z.string(),
+	createdAt: z.coerce.date(),
+	status: z.enum([
+		"ongoing",
+		"deployed",
+		"failed"
+	]),
+	environment: environmentSchema$1
+});
+const serverFieldsSchema$1 = z.object({
+	$schema: z.string(),
+	name: z.string(),
+	description: z.string(),
+	version: z.string().optional(),
+	title: z.string().optional(),
+	websiteUrl: z.string().optional(),
+	icons: z.array(z.object({
+		src: z.string(),
+		mimeType: z.string().optional(),
+		sizes: z.array(z.string()).optional()
+	})).optional(),
+	remotes: z.array(z.object({
+		type: z.string(),
+		url: z.string().optional(),
+		headers: z.array(z.object({
+			name: z.string(),
+			description: z.string(),
+			isRequired: z.boolean().optional(),
+			isSecret: z.boolean().optional()
+		})).optional()
+	})).optional()
+}).catchall(z.unknown());
+z.object({
+	serverFields: serverFieldsSchema$1,
+	source: z.enum(["registry", "defaults"])
+});
+/**
+* Returns a variant of a `maxLength`-constrained string that clamps (truncates) instead of
+* rejecting on overflow — used for AI-generated copy where the model routinely overshoots.
+*
+* NOTE: this rebuilds the schema from scratch, carrying over only `maxLength` (as a clamp),
+* `minLength`, and the description. Any other validators on the source field (`.regex()`,
+* `.email()`, custom refinements) are intentionally dropped — this helper is meant for plain
+* free-text length caps only. A field with `null` `maxLength` is returned unchanged.
+*/
+const clampStringField = (field) => {
+	const max = field.maxLength;
+	if (max === null) return field;
+	const clamped = z.string().overwrite((value) => value.slice(0, max)).max(max);
+	const withMin = field.minLength === null ? clamped : clamped.min(field.minLength);
+	return field.description ? withMin.describe(field.description) : withMin;
+};
 const toolDefinitionSchema = z.object({
 	name: z.string(),
 	title: z.string().optional().describe("Human-friendly name for the tool, used in the UI. If not provided, `name` will be used."),
@@ -214,6 +572,10 @@ const positiveTestCaseSchema = z.object({
 	toolTriggered: z.string().optional(),
 	expectedOutput: z.string().optional()
 }).partial().describe("Each case: Scenario, User prompt, Tool triggered, Expected output.");
+const screenshotEntrySchema = z.object({
+	prompt: z.string(),
+	url: z.url().or(z.literal(""))
+}).describe("Each screenshot: the user prompt that produced it + the image URL.");
 /** Accepts either a valid email or URL. */
 const supportChannelSchema = z.string().refine((value) => z.email().safeParse(value).success || z.url().safeParse(value).success, { error: "Must be a valid email or URL" });
 const chatgptCategorySchema = z.enum([
@@ -233,6 +595,71 @@ const chatgptCategorySchema = z.enum([
 ]);
 const chatgptAuthenticationSchema = z.enum(["No auth needed", "OAuth 2.0"]);
 const chatgptAllowedCountriesSchema = z.enum(["Allow all", "Restrict to specific countries"]);
+const chatgptTranslationLocaleSchema = z.enum([
+	"am",
+	"ar",
+	"bg-BG",
+	"bn-BD",
+	"bs-BA",
+	"ca-ES",
+	"cs-CZ",
+	"da-DK",
+	"de-DE",
+	"el-GR",
+	"es-419",
+	"es-ES",
+	"et-EE",
+	"fi-FI",
+	"fr-CA",
+	"fr-FR",
+	"gu-IN",
+	"hi-IN",
+	"hr-HR",
+	"hu-HU",
+	"hy-AM",
+	"id-ID",
+	"is-IS",
+	"it-IT",
+	"ja-JP",
+	"ka-GE",
+	"kk",
+	"kn-IN",
+	"ko-KR",
+	"lt",
+	"lv-LV",
+	"mk-MK",
+	"ml",
+	"mn",
+	"mr-IN",
+	"ms-MY",
+	"my-MM",
+	"nb-NO",
+	"nl-NL",
+	"pa",
+	"pl-PL",
+	"pt-BR",
+	"pt-PT",
+	"ro-RO",
+	"ru-RU",
+	"sk-SK",
+	"sl-SI",
+	"so-SO",
+	"sq-AL",
+	"sr-RS",
+	"sv-SE",
+	"sw-TZ",
+	"ta-IN",
+	"te-IN",
+	"th-TH",
+	"tl",
+	"tr-TR",
+	"uk-UA",
+	"ur",
+	"vi-VN",
+	"zh-CN",
+	"zh-HK",
+	"zh-TW"
+]);
 const negativeTestCaseSchema = z.object({
 	scenario: z.string(),
 	userPrompt: z.string()
@@ -243,21 +670,29 @@ const chatgptToolJustificationSchema = z.object({
 	openWorldJustification: z.string(),
 	destructiveJustification: z.string()
 }).describe("Per-tool justification of each MCP annotation value (one sentence per hint).");
+/**
+* Base copy fields, defined once and reused by both the submission form and per-locale
+* translations so the constraints (tagline ≤ 30 chars) never drift. The translation generation
+* path wraps these in {@link clampStringField} since the LLM tends to overshoot the limit.
+*/
+const chatgptTaglineSchema = z.string().max(30);
+const chatgptDescriptionSchema = z.string();
 const chatgptTranslationSchema = z.object({
-	locale: z.string(),
-	tagline: z.string().optional(),
-	description: z.string().optional()
+	locale: chatgptTranslationLocaleSchema,
+	tagline: chatgptTaglineSchema,
+	description: chatgptDescriptionSchema
 }).describe("Locale-scoped override for tagline + description. English (US) is the default.");
+chatgptTranslationSchema.extend({ tagline: clampStringField(chatgptTaglineSchema) });
 /**
 * Field order mirrors the ChatGPT (OpenAI) submission spreadsheet, grouped by section.
 * When adding/removing/reordering fields, keep this in sync with the sheet.
 */
 const chatgptSubmissionFormDataSchema = z.object({
 	logoLight: z.string().describe("Logo icon for light mode. Square PNG, no borders or rounded corners (clients apply circular cropping)."),
-	logoDark: z.string().describe("Logo icon for dark mode. Square PNG. Same specs as the light icon."),
+	logoDark: z.string().optional().describe("Optional dark-mode logo icon. Square PNG, same specs as the light icon. Leave empty if the light icon also works on dark backgrounds."),
 	appName: z.string().describe("The name users will see in ChatGPT and in the Apps Directory."),
-	tagline: z.string().max(30).describe("Plain-language phrase focused on function and user value. 30 chars max."),
-	description: z.string().describe("Clear, engaging description highlighting what the app does and why people will love it. Appears publicly on the directory page."),
+	tagline: chatgptTaglineSchema.describe("Plain-language phrase focused on function and user value. 30 chars max."),
+	description: chatgptDescriptionSchema.describe("Clear, engaging description highlighting what the app does and why people will love it. Appears publicly on the directory page."),
 	category: chatgptCategorySchema.describe("Category from the OpenAI taxonomy."),
 	developerName: z.string().describe("Developer name shown publicly on the app's directory page."),
 	companyUrl: z.url().describe("Your company's main website URL."),
@@ -272,7 +707,7 @@ const chatgptSubmissionFormDataSchema = z.object({
 	toolJustifications: z.array(chatgptToolJustificationSchema).describe("Per-tool justification of `readOnlyHint`, `openWorldHint`, and `destructiveHint` annotation values."),
 	testCases: z.array(positiveTestCaseSchema).describe("At least 5 positive test cases. Each: Scenario, User prompt, Tool triggered, Expected output. Coverage over all major use cases."),
 	negativeTestCases: z.array(negativeTestCaseSchema).describe("3 negative test cases — prompts where the app should NOT trigger but the model might think it's relevant."),
-	screenshots: z.array(z.url()).describe("URLs of in-app screenshots. Widget apps must show the widget UI; non-widget apps show the model response. Min 1, max 4. First three are public."),
+	screenshots: z.array(screenshotEntrySchema).describe("In-app screenshots paired with the user prompt that produced them. Widget apps must show the widget UI; non-widget apps show the model response. Min 1, max 4 entries. First three are public. Images: 706px wide, 400–860px tall, PNG."),
 	translations: z.array(chatgptTranslationSchema).describe("Per-locale translation of tagline + description. English (US) is the default."),
 	allowedCountries: chatgptAllowedCountriesSchema.describe("'Allow all' or restrict to a specific list. See OpenAI's supported countries list."),
 	releaseNotes: z.string().describe("Publicly displayed on the app details page.")
@@ -291,7 +726,7 @@ chatgptSubmissionFormDataSchema.pick({
 	testCases: true,
 	negativeTestCases: true,
 	toolJustifications: true
-});
+}).extend({ tagline: clampStringField(chatgptSubmissionFormDataSchema.shape.tagline) });
 const claudeCategorySchema = z.enum([
 	"Business & Productivity",
 	"Communication",
@@ -303,7 +738,7 @@ const claudeCategorySchema = z.enum([
 	"Media & Entertainment",
 	"Commerce & Shopping"
 ]);
-z.enum([
+const claudeAuthenticationSchema = z.enum([
 	"No auth needed",
 	"OAuth 2.0",
 	"Custom URL"
@@ -311,28 +746,34 @@ z.enum([
 const claudeMcpUrlTypeSchema = z.enum(["Universal URL", "Custom MCP URLs"]);
 z.enum(["Static OAuth Client", "Dynamic OAuth Client (DCR / CIMD)"]);
 const claudeReadWriteCapabilitiesSchema = z.enum([
-	"Read only",
-	"Write only",
-	"Read + write"
+	"Read Only",
+	"Write Only",
+	"Read + Write"
 ]);
 const claudeTransportSchema = z.enum(["Streamable HTTP", "SSE"]);
+const claudeTestedSurfaceSchema = z.enum([
+	"Claude.ai (web)",
+	"Claude Desktop",
+	"Claude Code",
+	"Cowork"
+]);
 const claudeThirdPartySchema = z.enum([
-	"Web access (open web fetch / scraping / arbitrary URLs)",
-	"Third-party AI model integration",
-	"Third-party data retrieval (via workflow / aggregator)",
-	"Third-party data modification (via workflow / aggregator)",
+	"Web access: Fetches information from the open web (e.g., web scraping, search engines, or browsing arbitrary URLs, not just connecting to a specific API)",
+	"Third-party AI model integration: Sends data to or receives data from a generative AI model other than Claude",
+	"Third-party data retrieval: Connects to external services that themselves retrieve data from other sources (e.g., workflow automation platforms or other services that aggregate or relay data from multiple third-party sources)",
+	"Third-party data modification: Can connect to external services that themselves create, update, or delete data in other sources (e.g., workflow automation platforms or other services that write to multiple third-party sources)",
 	"N/A"
 ]);
 const claudeDataHandlingSchema = z.enum([
 	"Server only accesses data explicitly requested by user",
 	"No data is stored beyond session requirements",
-	"Data transmission is encrypted (HTTPS / TLS)",
+	"Data transmission is encrypted (HTTPS/TLS)",
 	"GDPR compliant (if applicable)"
 ]);
 const claudeSponsoredContentSchema = z.enum([
 	"No, there is no sponsored content or advertisements",
 	"Yes, there are banner ads or other paid visual elements",
-	"Yes, returned content or ranking is impacted by sponsorship or ad placement"
+	"Yes, the returned content or ranking of returned content is impacted by sponsorship or ad placement"
 ]);
 /**
 * Field order mirrors the Claude (Anthropic) submission spreadsheet, grouped by section.
@@ -397,7 +838,7 @@ If 'Yes', you will also be required to provide screenshots of your UI (see Promo
 Note: These are attestations — you are legally agreeing to these practices by submitting the form.`),
 	personalDataHealthAccess: z.boolean().describe(`Select 'Yes' ONLY if your connector gives users access to their own personal health information — such as medical records, lab results, diagnoses, prescriptions, wearable health metrics (heart rate, sleep data, etc.), or mental health data.
 Select 'No' for the vast majority of business/productivity/dev tools. When in doubt, select 'No'. This field triggers additional compliance review if 'Yes'.`),
-	categories: z.array(claudeCategorySchema).describe(`Select the category or categories that best describe your connector. This determines where it appears in the directory's browse experience. Choose the most specific fit:
+	category: claudeCategorySchema.describe(`Select the category that best describes your connector. This determines where it appears in the directory's browse experience. Choose the most specific fit:
 • Business & Productivity — project management, CRM, HR, office tools
 • Communication — email, chat, messaging, notifications
 • Data & Analytics — dashboards, reporting, databases, BI tools
@@ -407,12 +848,13 @@ Select 'No' for the vast majority of business/productivity/dev tools. When in do
 • Health & Life Sciences — clinical, pharma, medical professional tools
 • Media & Entertainment — content, publishing, streaming
 • Commerce & Shopping — e-commerce, inventory, orders
-Multiple categories are allowed if genuinely applicable.`),
+Anthropic's submission form only accepts a single category.`),
 	sponsoredContentsOrAdvertisement: claudeSponsoredContentSchema.describe(`Be honest here — advertising is not permitted in the Connectors Directory per Anthropic's policy. Select the option that accurately describes your server:
 • 'No, there is no sponsored content or advertisements' — the results your server returns are not influenced by paid placement or sponsorship. This is what almost all connectors should select.
 • 'Yes, there are banner ads or other paid visual elements' — your UI includes visual ads. NOTE: this will likely lead to rejection, as Anthropic prohibits advertising in Claude.
 • 'Yes, the returned content or ranking of returned content is impacted by sponsorship or ad placement' — paid results affect what you return. NOTE: this also likely leads to rejection.
 If your server returns organic results from a platform that has ads in its own UI (but your API results are not affected by ads), select 'No'.`),
+	authentication: claudeAuthenticationSchema.describe("How users authenticate with the server. No auth / OAuth 2.0 / Custom URL (not supported)."),
 	transportSupport: z.array(claudeTransportSchema).describe(`Select all transport protocols your server supports:
 • 'Streamable HTTP' — the modern, recommended transport. Anthropic strongly recommends implementing this. This is the future-proof option and should be your default.
 • 'SSE (Server-Sent Events)' — the older transport. SSE may be deprecated by Anthropic later in 2025/2026. If you currently only support SSE, you should plan to migrate to Streamable HTTP.
@@ -452,19 +894,21 @@ Reviewers test every single tool you list here — don't list tools that don't w
 • 'I've specified user-friendly titles for all tools' — every tool has a 'title' annotation (a human-readable label, different from the tool name).
 • 'I've specified accurate tool annotations for all tools' — every tool has the correct annotation: readOnlyHint: true for read operations (search, get, list, fetch), OR destructiveHint: true for write operations (create, update, delete, send).
 This is the #1 reason submissions get rejected (30% of all rejections). Do not check these boxes without actually having implemented the annotations. See MCP spec for how to add them.`),
-	logoLight: z.string().describe(`Your connector's logo as displayed in the directory. Requirements:
+	testedSurfaces: z.array(claudeTestedSurfaceSchema).describe(`Confirm testing is complete and your server works as intended in these surfaces. Select every surface you've verified. Claude.ai (web) and Claude Desktop are the usual targets for remote MCP servers; Claude Code and Cowork compatibility is not required. Anthropic requires at least two surfaces.`),
+	logoLight: z.string().describe(`Your connector's logo for light backgrounds. Requirements:
 • Format: SVG only
 • Aspect ratio: square (1:1)
-• Should work on both light and dark backgrounds (or you can provide separate light/dark versions)
+• Should work on a light background
 • Provide via URL (Google Drive link is fine) or upload directly
 Tip: use a simple, recognizable icon — not a full wordmark. The logo appears at small sizes in the directory grid.`),
-	screenshots: z.array(z.url()).describe(`Screenshots or promotional images of your connector in action within Claude. Strongly recommended for all connectors, and required for MCP Apps (interactive UI). Guidelines:
+	logoDark: z.string().optional().describe(`Optional dark-mode variant of the connector logo. Same specs as the light variant (SVG, square 1:1) but designed to read on a dark background. Leave empty if the light logo already works on dark.`),
+	screenshots: z.array(screenshotEntrySchema).describe(`Screenshots or promotional images of your connector in action within Claude. Strongly recommended for all connectors, and required for MCP Apps (interactive UI). Guidelines:
 • 3–5 images is ideal
 • Minimum 1000px width, PNG format preferred
+• Each screenshot is paired with the user prompt that produced it
 • Crop to just the relevant part of the Claude interface (the tool response area)
 • Show your connector doing something impressive and useful — real data, real results
 • If you're an MCP App, include screenshots of your interactive UI elements
-• Videos are also welcome
 These images appear in your directory listing and are a key factor in driving user installs.`)
 });
 claudeSubmissionFormDataSchema.pick({
@@ -477,14 +921,20 @@ claudeSubmissionFormDataSchema.pick({
 	isMcpApp: true,
 	transportSupport: true,
 	primaryContactEmail: true,
-	primaryContactName: true
+	primaryContactName: true,
+	authentication: true,
+	personalDataHealthAccess: true,
+	testedSurfaces: true
+}).extend({
+	connectionRequirements: claudeSubmissionFormDataSchema.shape.connectionRequirements.optional(),
+	testingCredentials: claudeSubmissionFormDataSchema.shape.testingCredentials.optional()
 });
 claudeSubmissionFormDataSchema.pick({
 	tagline: true,
 	description: true,
-	categories: true,
+	category: true,
 	testCases: true
-});
+}).extend({ tagline: clampStringField(claudeSubmissionFormDataSchema.shape.tagline) });
 const submissionMetaFieldsSchema = z.object({
 	id: z.string(),
 	environmentId: z.string(),
@@ -1128,7 +1578,7 @@ const upsertPlaygroundContractV1 = oc.route({
 	name: z.string().min(1).max(100).optional(),
 	description: z.string().min(1).max(500).optional(),
 	headers: z.array(playgroundHeaderSchema).optional(),
-	examplePrompts: z.array(playgroundExamplePromptSchema).max(3).optional()
+	examplePrompts: z.array(playgroundExamplePromptSchema).max(5).optional()
 })).output(playgroundOutputSchema);
 const createBeaconContractV1 = oc.route({
 	path: "/v1/beacon/audits",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@alpic-ai/api",
-  "version": "0.0.0-staging.gc94c933",
+  "version": "0.0.0-staging.gcd4957c",
   "description": "Contract for the Alpic API",
   "type": "module",
   "main": "./dist/index.mjs",