@alpic-ai/api 0.0.0-staging.gea175dd → 0.0.0-staging.geb6c146

package/dist/index.mjs

@@ -1,6 +1,174 @@
 import { z } from "zod";
+import * as z$1 from "zod/v4";
 import { oc } from "@orpc/contract";
 import ms from "ms";
+//#region ../../node_modules/.pnpm/@modelcontextprotocol+sdk@1.29.0_@cfworker+json-schema@4.1.1_zod@4.4.3/node_modules/@modelcontextprotocol/sdk/dist/esm/shared/auth.js
+/**
+* Reusable URL validation that disallows javascript: scheme
+*/
+const SafeUrlSchema = z$1.url().superRefine((val, ctx) => {
+	if (!URL.canParse(val)) {
+		ctx.addIssue({
+			code: z$1.ZodIssueCode.custom,
+			message: "URL must be parseable",
+			fatal: true
+		});
+		return z$1.NEVER;
+	}
+}).refine((url) => {
+	const u = new URL(url);
+	return u.protocol !== "javascript:" && u.protocol !== "data:" && u.protocol !== "vbscript:";
+}, { message: "URL cannot use javascript:, data:, or vbscript: scheme" });
+/**
+* RFC 9728 OAuth Protected Resource Metadata
+*/
+const OAuthProtectedResourceMetadataSchema = z$1.looseObject({
+	resource: z$1.string().url(),
+	authorization_servers: z$1.array(SafeUrlSchema).optional(),
+	jwks_uri: z$1.string().url().optional(),
+	scopes_supported: z$1.array(z$1.string()).optional(),
+	bearer_methods_supported: z$1.array(z$1.string()).optional(),
+	resource_signing_alg_values_supported: z$1.array(z$1.string()).optional(),
+	resource_name: z$1.string().optional(),
+	resource_documentation: z$1.string().optional(),
+	resource_policy_uri: z$1.string().url().optional(),
+	resource_tos_uri: z$1.string().url().optional(),
+	tls_client_certificate_bound_access_tokens: z$1.boolean().optional(),
+	authorization_details_types_supported: z$1.array(z$1.string()).optional(),
+	dpop_signing_alg_values_supported: z$1.array(z$1.string()).optional(),
+	dpop_bound_access_tokens_required: z$1.boolean().optional()
+});
+/**
+* RFC 8414 OAuth 2.0 Authorization Server Metadata
+*/
+const OAuthMetadataSchema = z$1.looseObject({
+	issuer: z$1.string(),
+	authorization_endpoint: SafeUrlSchema,
+	token_endpoint: SafeUrlSchema,
+	registration_endpoint: SafeUrlSchema.optional(),
+	scopes_supported: z$1.array(z$1.string()).optional(),
+	response_types_supported: z$1.array(z$1.string()),
+	response_modes_supported: z$1.array(z$1.string()).optional(),
+	grant_types_supported: z$1.array(z$1.string()).optional(),
+	token_endpoint_auth_methods_supported: z$1.array(z$1.string()).optional(),
+	token_endpoint_auth_signing_alg_values_supported: z$1.array(z$1.string()).optional(),
+	service_documentation: SafeUrlSchema.optional(),
+	revocation_endpoint: SafeUrlSchema.optional(),
+	revocation_endpoint_auth_methods_supported: z$1.array(z$1.string()).optional(),
+	revocation_endpoint_auth_signing_alg_values_supported: z$1.array(z$1.string()).optional(),
+	introspection_endpoint: z$1.string().optional(),
+	introspection_endpoint_auth_methods_supported: z$1.array(z$1.string()).optional(),
+	introspection_endpoint_auth_signing_alg_values_supported: z$1.array(z$1.string()).optional(),
+	code_challenge_methods_supported: z$1.array(z$1.string()).optional(),
+	client_id_metadata_document_supported: z$1.boolean().optional()
+});
+/**
+* OpenID Connect Discovery 1.0 Provider Metadata
+* see: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
+*/
+const OpenIdProviderMetadataSchema = z$1.looseObject({
+	issuer: z$1.string(),
+	authorization_endpoint: SafeUrlSchema,
+	token_endpoint: SafeUrlSchema,
+	userinfo_endpoint: SafeUrlSchema.optional(),
+	jwks_uri: SafeUrlSchema,
+	registration_endpoint: SafeUrlSchema.optional(),
+	scopes_supported: z$1.array(z$1.string()).optional(),
+	response_types_supported: z$1.array(z$1.string()),
+	response_modes_supported: z$1.array(z$1.string()).optional(),
+	grant_types_supported: z$1.array(z$1.string()).optional(),
+	acr_values_supported: z$1.array(z$1.string()).optional(),
+	subject_types_supported: z$1.array(z$1.string()),
+	id_token_signing_alg_values_supported: z$1.array(z$1.string()),
+	id_token_encryption_alg_values_supported: z$1.array(z$1.string()).optional(),
+	id_token_encryption_enc_values_supported: z$1.array(z$1.string()).optional(),
+	userinfo_signing_alg_values_supported: z$1.array(z$1.string()).optional(),
+	userinfo_encryption_alg_values_supported: z$1.array(z$1.string()).optional(),
+	userinfo_encryption_enc_values_supported: z$1.array(z$1.string()).optional(),
+	request_object_signing_alg_values_supported: z$1.array(z$1.string()).optional(),
+	request_object_encryption_alg_values_supported: z$1.array(z$1.string()).optional(),
+	request_object_encryption_enc_values_supported: z$1.array(z$1.string()).optional(),
+	token_endpoint_auth_methods_supported: z$1.array(z$1.string()).optional(),
+	token_endpoint_auth_signing_alg_values_supported: z$1.array(z$1.string()).optional(),
+	display_values_supported: z$1.array(z$1.string()).optional(),
+	claim_types_supported: z$1.array(z$1.string()).optional(),
+	claims_supported: z$1.array(z$1.string()).optional(),
+	service_documentation: z$1.string().optional(),
+	claims_locales_supported: z$1.array(z$1.string()).optional(),
+	ui_locales_supported: z$1.array(z$1.string()).optional(),
+	claims_parameter_supported: z$1.boolean().optional(),
+	request_parameter_supported: z$1.boolean().optional(),
+	request_uri_parameter_supported: z$1.boolean().optional(),
+	require_request_uri_registration: z$1.boolean().optional(),
+	op_policy_uri: SafeUrlSchema.optional(),
+	op_tos_uri: SafeUrlSchema.optional(),
+	client_id_metadata_document_supported: z$1.boolean().optional()
+});
+/**
+* OpenID Connect Discovery metadata that may include OAuth 2.0 fields
+* This schema represents the real-world scenario where OIDC providers
+* return a mix of OpenID Connect and OAuth 2.0 metadata fields
+*/
+const OpenIdProviderDiscoveryMetadataSchema = z$1.object({
+	...OpenIdProviderMetadataSchema.shape,
+	...OAuthMetadataSchema.pick({ code_challenge_methods_supported: true }).shape
+});
+z$1.object({
+	access_token: z$1.string(),
+	id_token: z$1.string().optional(),
+	token_type: z$1.string(),
+	expires_in: z$1.coerce.number().optional(),
+	scope: z$1.string().optional(),
+	refresh_token: z$1.string().optional()
+}).strip();
+z$1.object({
+	error: z$1.string(),
+	error_description: z$1.string().optional(),
+	error_uri: z$1.string().optional()
+});
+/**
+* Optional version of SafeUrlSchema that allows empty string for retrocompatibility on tos_uri and logo_uri
+*/
+const OptionalSafeUrlSchema = SafeUrlSchema.optional().or(z$1.literal("").transform(() => void 0));
+/**
+* RFC 7591 OAuth 2.0 Dynamic Client Registration metadata
+*/
+const OAuthClientMetadataSchema = z$1.object({
+	redirect_uris: z$1.array(SafeUrlSchema),
+	token_endpoint_auth_method: z$1.string().optional(),
+	grant_types: z$1.array(z$1.string()).optional(),
+	response_types: z$1.array(z$1.string()).optional(),
+	client_name: z$1.string().optional(),
+	client_uri: SafeUrlSchema.optional(),
+	logo_uri: OptionalSafeUrlSchema,
+	scope: z$1.string().optional(),
+	contacts: z$1.array(z$1.string()).optional(),
+	tos_uri: OptionalSafeUrlSchema,
+	policy_uri: z$1.string().optional(),
+	jwks_uri: SafeUrlSchema.optional(),
+	jwks: z$1.any().optional(),
+	software_id: z$1.string().optional(),
+	software_version: z$1.string().optional(),
+	software_statement: z$1.string().optional()
+}).strip();
+/**
+* RFC 7591 OAuth 2.0 Dynamic Client Registration client information
+*/
+const OAuthClientInformationSchema = z$1.object({
+	client_id: z$1.string(),
+	client_secret: z$1.string().optional(),
+	client_id_issued_at: z$1.number().optional(),
+	client_secret_expires_at: z$1.number().optional()
+}).strip();
+OAuthClientMetadataSchema.merge(OAuthClientInformationSchema);
+z$1.object({
+	error: z$1.string(),
+	error_description: z$1.string().optional()
+}).strip();
+z$1.object({
+	token: z$1.string(),
+	token_type_hint: z$1.string().optional()
+}).strip();
 const platformSchema = z.enum(["chatgpt", "claudeai"]);
 const PLATFORM_LABELS = {
 	chatgpt: "ChatGPT",
@@ -71,6 +239,13 @@ const auditReportWithScreenshotsSchema = auditReportSchema.extend({ widgetScreen
 	chatgpt: widgetScreenshotSchema.optional(),
 	claudeai: widgetScreenshotSchema.optional()
 }) });
+z.object({
+	id: z.string(),
+	environmentId: z.string(),
+	clientId: z.string(),
+	clientSecret: z.string(),
+	clientScopes: z.array(z.string())
+});
 const deploymentStatusSchema$1 = z.enum([
 	"ongoing",
 	"deployed",
@@ -98,6 +273,74 @@ const deploymentSummarySchema = z.object({
 	createdAt: z.coerce.date(),
 	updatedAt: z.coerce.date()
 });
+/**
+* Public environment
+*
+* No OAuth metadata exposed.
+*/
+const publicEnvironmentSchema = z.object({
+	isPublic: z.literal(true),
+	oAuthMetadata: z.undefined().optional()
+});
+/**
+* Protected environment with an external resource metadata URL
+*
+* An external resource metadata URL is returned in the WWW-Authenticate header during the first 401 response.
+* Everything that follows is handled outside of the MCP server scope.
+*/
+const externalResourceMetadataEnvironmentSchema = z.object({
+	isPublic: z.literal(false),
+	oAuthMetadata: z.object({ externalResourceMetadataUrl: z.url() }),
+	scope: z.string().optional()
+});
+/**
+* Protected environment with an external authorization server URL
+*
+* The server itself exposes the /.well-known/oauth-protected-resource endpoint.
+* An external authorization server URL is returned when requesting the endpoint.
+* Everything that follows is handled outside of the MCP server scope.
+*/
+const externalAuthorizationServerEnvironmentSchema = z.object({
+	isPublic: z.literal(false),
+	oAuthMetadata: z.object({
+		externalAuthorizationServerUrl: z.url(),
+		resourceMetadata: OAuthProtectedResourceMetadataSchema.optional()
+	}),
+	scope: z.string().optional()
+});
+/**
+* Standalone protected environment
+*
+* The server itself exposes the /.well-known/oauth-protected-resource endpoint.
+* The server itself exposes the /.well-known/oauth-authorization-server endpoint.
+*/
+const standaloneEnvironmentSchema = z.object({
+	isPublic: z.literal(false),
+	oAuthMetadata: z.object({
+		authorizationServerMetadata: z.union([OAuthMetadataSchema, OpenIdProviderDiscoveryMetadataSchema]),
+		resourceMetadata: OAuthProtectedResourceMetadataSchema.optional()
+	}),
+	scope: z.string().optional()
+});
+/**
+* Protected environment without OAuth discovery
+*
+* The server enforces authentication but exposes no OAuth discovery metadata.
+* Neither /.well-known/oauth-protected-resource nor /.well-known/oauth-authorization-server
+* are advertised. Clients must obtain credentials out-of-band.
+*/
+const protectedWithoutDiscoveryEnvironmentSchema = z.object({
+	isPublic: z.literal(false),
+	oAuthMetadata: z.strictObject({}),
+	scope: z.string().optional()
+});
+z.union([
+	publicEnvironmentSchema,
+	externalResourceMetadataEnvironmentSchema,
+	externalAuthorizationServerEnvironmentSchema,
+	standaloneEnvironmentSchema,
+	protectedWithoutDiscoveryEnvironmentSchema
+]);
 const allowedPlatformSchema = platformSchema;
 const environmentDomainSchema = z.object({
 	domain: z.string(),
@@ -296,6 +539,22 @@ z.object({
 	serverFields: serverFieldsSchema$1,
 	source: z.enum(["registry", "defaults"])
 });
+/**
+* Returns a variant of a `maxLength`-constrained string that clamps (truncates) instead of
+* rejecting on overflow — used for AI-generated copy where the model routinely overshoots.
+*
+* NOTE: this rebuilds the schema from scratch, carrying over only `maxLength` (as a clamp),
+* `minLength`, and the description. Any other validators on the source field (`.regex()`,
+* `.email()`, custom refinements) are intentionally dropped — this helper is meant for plain
+* free-text length caps only. A field with `null` `maxLength` is returned unchanged.
+*/
+const clampStringField = (field) => {
+	const max = field.maxLength;
+	if (max === null) return field;
+	const clamped = z.string().overwrite((value) => value.slice(0, max)).max(max);
+	const withMin = field.minLength === null ? clamped : clamped.min(field.minLength);
+	return field.description ? withMin.describe(field.description) : withMin;
+};
 const toolDefinitionSchema = z.object({
 	name: z.string(),
 	title: z.string().optional().describe("Human-friendly name for the tool, used in the UI. If not provided, `name` will be used."),
@@ -315,7 +574,7 @@ const positiveTestCaseSchema = z.object({
 }).partial().describe("Each case: Scenario, User prompt, Tool triggered, Expected output.");
 const screenshotEntrySchema = z.object({
 	prompt: z.string(),
-	url: z.url()
+	url: z.url().or(z.literal(""))
 }).describe("Each screenshot: the user prompt that produced it + the image URL.");
 /** Accepts either a valid email or URL. */
 const supportChannelSchema = z.string().refine((value) => z.email().safeParse(value).success || z.url().safeParse(value).success, { error: "Must be a valid email or URL" });
@@ -394,7 +653,7 @@ chatgptSubmissionFormDataSchema.pick({
 	testCases: true,
 	negativeTestCases: true,
 	toolJustifications: true
-});
+}).extend({ tagline: clampStringField(chatgptSubmissionFormDataSchema.shape.tagline) });
 const claudeCategorySchema = z.enum([
 	"Business & Productivity",
 	"Communication",
@@ -406,7 +665,7 @@ const claudeCategorySchema = z.enum([
 	"Media & Entertainment",
 	"Commerce & Shopping"
 ]);
-z.enum([
+const claudeAuthenticationSchema = z.enum([
 	"No auth needed",
 	"OAuth 2.0",
 	"Custom URL"
@@ -414,28 +673,34 @@ z.enum([
 const claudeMcpUrlTypeSchema = z.enum(["Universal URL", "Custom MCP URLs"]);
 z.enum(["Static OAuth Client", "Dynamic OAuth Client (DCR / CIMD)"]);
 const claudeReadWriteCapabilitiesSchema = z.enum([
-	"Read only",
-	"Write only",
-	"Read + write"
+	"Read Only",
+	"Write Only",
+	"Read + Write"
 ]);
 const claudeTransportSchema = z.enum(["Streamable HTTP", "SSE"]);
+const claudeTestedSurfaceSchema = z.enum([
+	"Claude.ai (web)",
+	"Claude Desktop",
+	"Claude Code",
+	"Cowork"
+]);
 const claudeThirdPartySchema = z.enum([
-	"Web access (open web fetch / scraping / arbitrary URLs)",
-	"Third-party AI model integration",
-	"Third-party data retrieval (via workflow / aggregator)",
-	"Third-party data modification (via workflow / aggregator)",
+	"Web access: Fetches information from the open web (e.g., web scraping, search engines, or browsing arbitrary URLs, not just connecting to a specific API)",
+	"Third-party AI model integration: Sends data to or receives data from a generative AI model other than Claude",
+	"Third-party data retrieval: Connects to external services that themselves retrieve data from other sources (e.g., workflow automation platforms or other services that aggregate or relay data from multiple third-party sources)",
+	"Third-party data modification: Can connect to external services that themselves create, update, or delete data in other sources (e.g., workflow automation platforms or other services that write to multiple third-party sources)",
 	"N/A"
 ]);
 const claudeDataHandlingSchema = z.enum([
 	"Server only accesses data explicitly requested by user",
 	"No data is stored beyond session requirements",
-	"Data transmission is encrypted (HTTPS / TLS)",
+	"Data transmission is encrypted (HTTPS/TLS)",
 	"GDPR compliant (if applicable)"
 ]);
 const claudeSponsoredContentSchema = z.enum([
 	"No, there is no sponsored content or advertisements",
 	"Yes, there are banner ads or other paid visual elements",
-	"Yes, returned content or ranking is impacted by sponsorship or ad placement"
+	"Yes, the returned content or ranking of returned content is impacted by sponsorship or ad placement"
 ]);
 /**
 * Field order mirrors the Claude (Anthropic) submission spreadsheet, grouped by section.
@@ -500,7 +765,7 @@ If 'Yes', you will also be required to provide screenshots of your UI (see Promo
 Note: These are attestations — you are legally agreeing to these practices by submitting the form.`),
 	personalDataHealthAccess: z.boolean().describe(`Select 'Yes' ONLY if your connector gives users access to their own personal health information — such as medical records, lab results, diagnoses, prescriptions, wearable health metrics (heart rate, sleep data, etc.), or mental health data.
 Select 'No' for the vast majority of business/productivity/dev tools. When in doubt, select 'No'. This field triggers additional compliance review if 'Yes'.`),
-	categories: z.array(claudeCategorySchema).describe(`Select the category or categories that best describe your connector. This determines where it appears in the directory's browse experience. Choose the most specific fit:
+	category: claudeCategorySchema.describe(`Select the category that best describes your connector. This determines where it appears in the directory's browse experience. Choose the most specific fit:
 • Business & Productivity — project management, CRM, HR, office tools
 • Communication — email, chat, messaging, notifications
 • Data & Analytics — dashboards, reporting, databases, BI tools
@@ -510,12 +775,13 @@ Select 'No' for the vast majority of business/productivity/dev tools. When in do
 • Health & Life Sciences — clinical, pharma, medical professional tools
 • Media & Entertainment — content, publishing, streaming
 • Commerce & Shopping — e-commerce, inventory, orders
-Multiple categories are allowed if genuinely applicable.`),
+Anthropic's submission form only accepts a single category.`),
 	sponsoredContentsOrAdvertisement: claudeSponsoredContentSchema.describe(`Be honest here — advertising is not permitted in the Connectors Directory per Anthropic's policy. Select the option that accurately describes your server:
 • 'No, there is no sponsored content or advertisements' — the results your server returns are not influenced by paid placement or sponsorship. This is what almost all connectors should select.
 • 'Yes, there are banner ads or other paid visual elements' — your UI includes visual ads. NOTE: this will likely lead to rejection, as Anthropic prohibits advertising in Claude.
 • 'Yes, the returned content or ranking of returned content is impacted by sponsorship or ad placement' — paid results affect what you return. NOTE: this also likely leads to rejection.
 If your server returns organic results from a platform that has ads in its own UI (but your API results are not affected by ads), select 'No'.`),
+	authentication: claudeAuthenticationSchema.describe("How users authenticate with the server. No auth / OAuth 2.0 / Custom URL (not supported)."),
 	transportSupport: z.array(claudeTransportSchema).describe(`Select all transport protocols your server supports:
 • 'Streamable HTTP' — the modern, recommended transport. Anthropic strongly recommends implementing this. This is the future-proof option and should be your default.
 • 'SSE (Server-Sent Events)' — the older transport. SSE may be deprecated by Anthropic later in 2025/2026. If you currently only support SSE, you should plan to migrate to Streamable HTTP.
@@ -555,6 +821,7 @@ Reviewers test every single tool you list here — don't list tools that don't w
 • 'I've specified user-friendly titles for all tools' — every tool has a 'title' annotation (a human-readable label, different from the tool name).
 • 'I've specified accurate tool annotations for all tools' — every tool has the correct annotation: readOnlyHint: true for read operations (search, get, list, fetch), OR destructiveHint: true for write operations (create, update, delete, send).
 This is the #1 reason submissions get rejected (30% of all rejections). Do not check these boxes without actually having implemented the annotations. See MCP spec for how to add them.`),
+	testedSurfaces: z.array(claudeTestedSurfaceSchema).describe(`Confirm testing is complete and your server works as intended in these surfaces. Select every surface you've verified. Claude.ai (web) and Claude Desktop are the usual targets for remote MCP servers; Claude Code and Cowork compatibility is not required. Anthropic requires at least two surfaces.`),
 	logoLight: z.string().describe(`Your connector's logo for light backgrounds. Requirements:
 • Format: SVG only
 • Aspect ratio: square (1:1)
@@ -581,14 +848,20 @@ claudeSubmissionFormDataSchema.pick({
 	isMcpApp: true,
 	transportSupport: true,
 	primaryContactEmail: true,
-	primaryContactName: true
+	primaryContactName: true,
+	authentication: true,
+	personalDataHealthAccess: true,
+	testedSurfaces: true
+}).extend({
+	connectionRequirements: claudeSubmissionFormDataSchema.shape.connectionRequirements.optional(),
+	testingCredentials: claudeSubmissionFormDataSchema.shape.testingCredentials.optional()
 });
 claudeSubmissionFormDataSchema.pick({
 	tagline: true,
 	description: true,
-	categories: true,
+	category: true,
 	testCases: true
-});
+}).extend({ tagline: clampStringField(claudeSubmissionFormDataSchema.shape.tagline) });
 const submissionMetaFieldsSchema = z.object({
 	id: z.string(),
 	environmentId: z.string(),
@@ -1232,7 +1505,7 @@ const upsertPlaygroundContractV1 = oc.route({
 	name: z.string().min(1).max(100).optional(),
 	description: z.string().min(1).max(500).optional(),
 	headers: z.array(playgroundHeaderSchema).optional(),
-	examplePrompts: z.array(playgroundExamplePromptSchema).max(3).optional()
+	examplePrompts: z.array(playgroundExamplePromptSchema).max(5).optional()
 })).output(playgroundOutputSchema);
 const createBeaconContractV1 = oc.route({
 	path: "/v1/beacon/audits",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@alpic-ai/api",
-  "version": "0.0.0-staging.gea175dd",
+  "version": "0.0.0-staging.geb6c146",
   "description": "Contract for the Alpic API",
   "type": "module",
   "main": "./dist/index.mjs",