{ "version": "1.0", "site": "https://xinglianquant.com", "marker": "WEBSITE_AUTH_EMAIL_ONLY_MCP_CONTRACT_20260607", "actions": [ { "id": "register-website-account", "name": "Create account with email verification", "description": "Create a XingLian Quant website account using email, password, accepted terms, and a previously delivered email verification code.", "method": "declarative", "endpoint": "/api/auth/register", "parameters": { "required": [ "email", "password", "code", "termsAccepted", "riskAccepted" ] }, "boundaries": { "email_code_required": true, "fake_delivery_success": false } }, { "id": "login-website-account", "name": "Log in with email and password", "description": "Log in to the XingLian Quant account center using email and password.", "method": "declarative", "endpoint": "/api/auth/login", "parameters": { "required": [ "email", "password" ] } }, { "id": "confirm-email-code", "name": "Confirm email verification code", "description": "Confirm a previously requested email verification code.", "method": "declarative", "endpoint": "/api/auth/verification/confirm", "parameters": { "required": [ "channel", "target", "purpose", "code" ] }, "boundaries": { "email_only_public_flow": true } }, { "id": "request-email-verification-code", "name": "Request email verification code", "description": "Request an email verification, registration, or password-reset code. Delivery success is shown only after the email service confirms delivery.", "method": "declarative", "endpoint": "/api/auth/verification/request", "parameters": { "required": [ "channel", "target", "purpose" ] }, "boundaries": { "fake_delivery_success": false, "email_only_public_flow": true } }, { "id": "reset-password-with-code", "name": "Reset password with code", "description": "Reset a website account password using a requested email verification code. Does not fake completion if delivery or verification is unavailable.", "method": "declarative", "endpoint": "/api/auth/password/reset", "parameters": { "required": [ "channel", "target", "code", "newPassword" ] }, "boundaries": { "fake_delivery_success": false, "fake_password_reset": false, "trading_authority": false } }, { "id": "apply-early-access", "name": "Apply for early access", "description": "Submit an early access application after logging in. Does not unlock payment, license, download or trading.", "method": "declarative", "endpoint": "/api/private-beta/apply", "parameters": { "required": [ "fullName", "useCase" ] } }, { "id": "create-subscription-intent", "name": "Create subscription checkout", "description": "Create a secure XingLian Quant subscription checkout and continue the customer to the hosted payment page. The account updates subscription and license eligibility only after payment confirmation.", "method": "declarative", "endpoint": "/api/billing/checkout", "parameters": { "required": [ "planId" ] }, "boundaries": { "fake_payment_success": false, "payment_requires_signed_ipn": true, "public_installer_unlock": false, "trading_authority": false, "customer_copy_only": true } }, { "id": "request-license-issuance", "name": "Request license issuance", "description": "Issue a XingLian Quant activation code for an authenticated account with active subscription eligibility. No client activation bridge, no download unlock and no trading authority.", "method": "declarative", "endpoint": "/api/license/issue", "parameters": { "required": [] } }, { "id": "verify-license-state", "name": "Verify license state", "description": "Verify a XingLian Quant activation code signature and status. No device binding or entitlement unlock.", "method": "declarative", "endpoint": "/api/license/verify", "parameters": { "required": [ "activationCode" ] } }, { "id": "request-controlled-download", "name": "Request download link", "description": "Request a XingLian Quant client download link for a signed-in customer with active license/download eligibility. No direct public package link is exposed on customer pages.", "method": "declarative", "endpoint": "/api/download/request", "parameters": { "required": [] } }, { "id": "create-support-ticket", "name": "Create support ticket", "description": "Create a private-beta support ticket with server-side account/payment/license/download status snapshot. No local file upload, no admin mutation, no trading authority.", "method": "declarative", "endpoint": "/api/support/tickets", "parameters": { "required": [ "category", "subject", "message" ], "optional": [ "priority" ] } }, { "id": "list-support-tickets", "name": "List support tickets", "description": "List the current user private-beta support tickets. Read-only.", "method": "declarative", "endpoint": "/api/support/tickets", "parameters": { "required": [] } }, { "id": "admin-readonly-summary", "name": "Admin read-only summary", "description": "Read-only ops summary for authorized operators. No customer/license/support/download mutation, no secret reveal.", "method": "declarative", "endpoint": "/api/ops/readonly/summary", "read_only": true, "parameters": { "required": [] } }, { "id": "admin-readonly-support-tickets", "name": "Admin read-only support tickets", "description": "Read-only list of support tickets for authorized operators. No customer, financial, license, download or support-ticket changes.", "method": "declarative", "endpoint": "/api/ops/readonly/support-tickets", "read_only": true, "parameters": { "required": [] } }, { "id": "admin-readonly-user-detail", "name": "Admin read-only user detail", "description": "Read-only customer/account/license/download/support summary by user id. Returns masked email and redacted license/download fields.", "method": "declarative", "endpoint": "/api/ops/readonly/user", "read_only": true, "parameters": { "required": [ "id" ] } }, { "id": "client-bridge-status", "name": "Windows client bridge status", "description": "Read-only status for P8 Windows client bridge. Shows env readiness and safety boundaries.", "method": "declarative", "endpoint": "/api/client/bridge/status", "read_only": true, "parameters": { "required": [] } }, { "id": "client-bridge-handshake", "name": "Windows client bridge handshake", "description": "Read-only activation/download/support readiness handshake for Windows client. Requires activation_code and sha256 device_id_hash. Does not authorize devices or grant trading authority.", "method": "api", "endpoint": "/api/client/bridge/handshake", "read_only": true, "audit_write": true, "parameters": { "required": [ "activation_code", "device_id_hash", "client_version", "platform" ] } }, { "id": "client-bridge-redacted-diagnostics", "name": "Windows client bridge redacted diagnostics", "description": "Record redacted diagnostics summary only. Local file uploads, secrets, broker credentials and raw logs are rejected.", "method": "api", "endpoint": "/api/client/bridge/diagnostics", "read_only": true, "audit_write": true, "parameters": { "required": [ "device_id_hash", "diagnostics" ] } }, { "id": "seed-beta-execution-status", "name": "Seed-user early access execution status", "description": "Read-only P9 early access execution readiness, manual approval boundaries and runbook.", "method": "declarative", "endpoint": "/api/private-beta/execution/status", "read_only": true, "parameters": { "required": [] } }, { "id": "seed-beta-redacted-evidence", "name": "Record seed beta redacted evidence", "description": "Record redacted seed-user early access evidence. Rejects activation codes, raw signed URLs, local files and broker credentials. Does not approve users or launch public beta.", "method": "api", "endpoint": "/api/private-beta/execution/evidence", "read_only": true, "audit_write": true, "parameters": { "required": [ "event_type", "result_status", "evidence" ] } }, { "id": "account-profile-read", "name": "Read account profile", "description": "Read the current signed-in account profile. Does not expose password hash, session token or trading authority. Login required.", "method": "declarative", "endpoint": "/api/account/profile", "read_only": true, "parameters": { "required": [] } }, { "id": "account-profile-update", "name": "Update account profile", "description": "Update the current signed-in account profile fields: display_name, company, role, timezone, preferred_locale. Does not mutate beta approval, payment, license, download or trading authority.", "method": "api", "endpoint": "/api/account/profile", "read_only": false, "audit_write": true, "parameters": { "required": [], "optional": [ "display_name", "company", "role", "timezone", "preferred_locale" ] } }, { "id": "account-security-status", "name": "Read account security status", "description": "Read current account security status, active session count and recent audit event types. No secrets or raw session tokens are returned. Login required.", "method": "declarative", "endpoint": "/api/account/security", "read_only": true, "parameters": { "required": [] } }, { "id": "account-sessions-list", "name": "List account sessions", "description": "List current account sessions with IDs, created/expires/revoked timestamps and current-session flag. Raw session tokens are never returned.", "method": "declarative", "endpoint": "/api/account/sessions", "read_only": true, "parameters": { "required": [] } }, { "id": "account-session-revoke", "name": "Revoke another account session", "description": "Revoke a non-current session belonging to the signed-in account. Cannot revoke other users sessions and cannot revoke the current session; use logout for current session.", "method": "api", "endpoint": "/api/account/sessions/revoke", "read_only": false, "audit_write": true, "parameters": { "required": [ "session_id" ] } }, { "id": "account-password-change", "name": "Change account password", "description": "Change the signed-in account password with currentPassword and newPassword. Revokes other sessions. Never returns password hash or session tokens.", "method": "api", "endpoint": "/api/account/password/change", "read_only": false, "audit_write": true, "parameters": { "required": [ "currentPassword", "newPassword" ] } } ] }