{
  "version": "1.0",
  "site": "https://xinglianquant.com",
  "marker": "WEBSITE_AUTH_EMAIL_ONLY_MCP_CONTRACT_20260607",
  "actions": [
    {
      "id": "register-website-account",
      "name": "Create account with email verification",
      "description": "Create a XingLian Quant website account using email, password, accepted terms, and a previously delivered email verification code.",
      "method": "declarative",
      "endpoint": "/api/auth/register",
      "parameters": {
        "required": [
          "email",
          "password",
          "code",
          "termsAccepted",
          "riskAccepted"
        ]
      },
      "boundaries": {
        "email_code_required": true,
        "fake_delivery_success": false
      }
    },
    {
      "id": "login-website-account",
      "name": "Log in with email and password",
      "description": "Log in to the XingLian Quant account center using email and password.",
      "method": "declarative",
      "endpoint": "/api/auth/login",
      "parameters": {
        "required": [
          "email",
          "password"
        ]
      }
    },
    {
      "id": "confirm-email-code",
      "name": "Confirm email verification code",
      "description": "Confirm a previously requested email verification code.",
      "method": "declarative",
      "endpoint": "/api/auth/verification/confirm",
      "parameters": {
        "required": [
          "channel",
          "target",
          "purpose",
          "code"
        ]
      },
      "boundaries": {
        "email_only_public_flow": true
      }
    },
    {
      "id": "request-email-verification-code",
      "name": "Request email verification code",
      "description": "Request an email verification, registration, or password-reset code. Delivery success is shown only after the email service confirms delivery.",
      "method": "declarative",
      "endpoint": "/api/auth/verification/request",
      "parameters": {
        "required": [
          "channel",
          "target",
          "purpose"
        ]
      },
      "boundaries": {
        "fake_delivery_success": false,
        "email_only_public_flow": true
      }
    },
    {
      "id": "reset-password-with-code",
      "name": "Reset password with code",
      "description": "Reset a website account password using a requested email verification code. Does not fake completion if delivery or verification is unavailable.",
      "method": "declarative",
      "endpoint": "/api/auth/password/reset",
      "parameters": {
        "required": [
          "channel",
          "target",
          "code",
          "newPassword"
        ]
      },
      "boundaries": {
        "fake_delivery_success": false,
        "fake_password_reset": false,
        "trading_authority": false
      }
    },
    {
      "id": "apply-early-access",
      "name": "Apply for early access",
      "description": "Submit an early access application after logging in. Does not unlock payment, client access, download or trading.",
      "method": "declarative",
      "endpoint": "/api/private-beta/apply",
      "parameters": {
        "required": [
          "fullName",
          "useCase"
        ]
      }
    },
    {
      "id": "create-subscription-intent",
      "name": "Create subscription checkout",
      "description": "Create a secure XingLian Quant subscription checkout and continue the customer to the hosted payment page. After signed payment confirmation, the subscription period starts immediately and the Windows client uses the same website email and password.",
      "method": "declarative",
      "endpoint": "/api/billing/checkout",
      "parameters": {
        "required": [
          "planId"
        ]
      },
      "boundaries": {
        "fake_payment_success": false,
        "payment_requires_signed_ipn": true,
        "public_installer_unlock": false,
        "trading_authority": false,
        "customer_copy_only": true
      }
    },
    {
      "id": "view-client-access-status",
      "name": "View client access status",
      "description": "Check whether the signed-in account has an active subscription and same-account Windows client access. This is read-only and does not start the subscription period.",
      "method": "declarative",
      "endpoint": "/api/license/status",
      "parameters": {
        "required": []
      },
      "boundaries": {
        "manual_license_application_required": false,
        "subscription_period_starts_after_payment_confirmation": true,
        "public_installer_unlock": false,
        "trading_authority": false
      }
    },
    {
      "id": "request-controlled-download",
      "name": "Request download link",
      "description": "Request a XingLian Quant client download link for a signed-in customer with an active subscription and download eligibility. No direct public package link is exposed on customer pages.",
      "method": "declarative",
      "endpoint": "/api/download/request",
      "parameters": {
        "required": []
      }
    },
    {
      "id": "create-support-ticket",
      "name": "Create support ticket",
      "description": "Create a customer support ticket with server-side account/subscription/client-access/download status snapshot. No local file upload, no admin mutation, no trading authority.",
      "method": "declarative",
      "endpoint": "/api/support/tickets",
      "parameters": {
        "required": [
          "category",
          "subject",
          "message"
        ],
        "optional": [
          "priority"
        ]
      }
    },
    {
      "id": "list-support-tickets",
      "name": "List support tickets",
      "description": "List the current user private-beta support tickets. Read-only.",
      "method": "declarative",
      "endpoint": "/api/support/tickets",
      "parameters": {
        "required": []
      }
    },
    {
      "id": "admin-readonly-summary",
      "name": "Admin read-only summary",
      "description": "Read-only ops summary for authorized operators. No customer/client-access/support/download mutation, no secret reveal.",
      "method": "declarative",
      "endpoint": "/api/ops/readonly/summary",
      "read_only": true,
      "parameters": {
        "required": []
      }
    },
    {
      "id": "admin-readonly-support-tickets",
      "name": "Admin read-only support tickets",
      "description": "Read-only list of support tickets for authorized operators. No customer, financial, client-access, download or support-ticket changes.",
      "method": "declarative",
      "endpoint": "/api/ops/readonly/support-tickets",
      "read_only": true,
      "parameters": {
        "required": []
      }
    },
    {
      "id": "admin-readonly-user-detail",
      "name": "Admin read-only user detail",
      "description": "Read-only customer/account/client-access/download/support summary by user id. Returns masked email and redacted entitlement/download fields.",
      "method": "declarative",
      "endpoint": "/api/ops/readonly/user",
      "read_only": true,
      "parameters": {
        "required": [
          "id"
        ]
      }
    },
    {
      "id": "client-bridge-status",
      "name": "Windows client bridge status",
      "description": "Read-only status for P8 Windows client bridge. Shows env readiness and safety boundaries.",
      "method": "declarative",
      "endpoint": "/api/client/bridge/status",
      "read_only": true,
      "parameters": {
        "required": []
      }
    },
    {
      "id": "client-bridge-handshake",
      "name": "Windows client bridge handshake",
      "description": "Read-only account/download/support readiness handshake for Windows client. Requires same-account client session/device hash. Does not authorize trading authority.",
      "method": "api",
      "endpoint": "/api/client/bridge/handshake",
      "read_only": true,
      "audit_write": true,
      "parameters": {
        "required": [
          "device_id_hash",
          "client_version",
          "platform"
        ]
      }
    },
    {
      "id": "client-bridge-redacted-diagnostics",
      "name": "Windows client bridge redacted diagnostics",
      "description": "Record redacted diagnostics summary only. Local file uploads, secrets, broker credentials and raw logs are rejected.",
      "method": "api",
      "endpoint": "/api/client/bridge/diagnostics",
      "read_only": true,
      "audit_write": true,
      "parameters": {
        "required": [
          "device_id_hash",
          "diagnostics"
        ]
      }
    },
    {
      "id": "seed-beta-execution-status",
      "name": "Seed-user early access execution status",
      "description": "Read-only P9 early access execution readiness, manual approval boundaries and runbook.",
      "method": "declarative",
      "endpoint": "/api/private-beta/execution/status",
      "read_only": true,
      "parameters": {
        "required": []
      }
    },
    {
      "id": "seed-beta-redacted-evidence",
      "name": "Record seed beta redacted evidence",
      "description": "Record redacted seed-user early access evidence. Rejects raw signed URLs, local files and broker credentials. Does not approve users or launch public beta.",
      "method": "api",
      "endpoint": "/api/private-beta/execution/evidence",
      "read_only": true,
      "audit_write": true,
      "parameters": {
        "required": [
          "event_type",
          "result_status",
          "evidence"
        ]
      }
    },
    {
      "id": "account-profile-read",
      "name": "Read account profile",
      "description": "Read the current signed-in account profile. Does not expose password hash, session token or trading authority. Login required.",
      "method": "declarative",
      "endpoint": "/api/account/profile",
      "read_only": true,
      "parameters": {
        "required": []
      }
    },
    {
      "id": "account-profile-update",
      "name": "Update account profile",
      "description": "Update the current signed-in account profile fields: display_name, company, role, timezone, preferred_locale. Does not mutate beta approval, payment, client access, download or trading authority.",
      "method": "api",
      "endpoint": "/api/account/profile",
      "read_only": false,
      "audit_write": true,
      "parameters": {
        "required": [],
        "optional": [
          "display_name",
          "company",
          "role",
          "timezone",
          "preferred_locale"
        ]
      }
    },
    {
      "id": "account-security-status",
      "name": "Read account security status",
      "description": "Read current account security status, active session count and recent audit event types. No secrets or raw session tokens are returned. Login required.",
      "method": "declarative",
      "endpoint": "/api/account/security",
      "read_only": true,
      "parameters": {
        "required": []
      }
    },
    {
      "id": "account-sessions-list",
      "name": "List account sessions",
      "description": "List current account sessions with IDs, created/expires/revoked timestamps and current-session flag. Raw session tokens are never returned.",
      "method": "declarative",
      "endpoint": "/api/account/sessions",
      "read_only": true,
      "parameters": {
        "required": []
      }
    },
    {
      "id": "account-session-revoke",
      "name": "Revoke another account session",
      "description": "Revoke a non-current session belonging to the signed-in account. Cannot revoke other users sessions and cannot revoke the current session; use logout for current session.",
      "method": "api",
      "endpoint": "/api/account/sessions/revoke",
      "read_only": false,
      "audit_write": true,
      "parameters": {
        "required": [
          "session_id"
        ]
      }
    },
    {
      "id": "account-password-change",
      "name": "Change account password",
      "description": "Change the signed-in account password with currentPassword and newPassword. Revokes other sessions. Never returns password hash or session tokens.",
      "method": "api",
      "endpoint": "/api/account/password/change",
      "read_only": false,
      "audit_write": true,
      "parameters": {
        "required": [
          "currentPassword",
          "newPassword"
        ]
      }
    }
  ]
}
