{
  "schema_version": "2026-07-09",
  "name": "Spala Public POC Benchmark",
  "purpose": "Repeatable public proof-of-concept benchmark for evaluating Spala's AI-built app backend handoff without exposing private code or architecture.",
  "scenario": {
    "name": "Client Portal Backend POC",
    "target_user": "Founder, frontend developer, or AI coding agent evaluating whether Spala can turn an AI-built app into a backend contract.",
    "timebox": "30 minutes for first pass; 60 minutes if authentication, CORS, or frontend wiring needs extra review.",
    "boundary": "This benchmark is a repeatable public evaluation workflow. It is not customer proof, compliance proof, SLA proof, uptime history, case-study proof, or proof of OAuth-complete MCP handoff unless those specific artifacts are captured separately.",
    "core_prompt": "Create a backend for a client portal with users, organizations, projects, messages, document metadata, role-based access, protected REST endpoints, validation errors, generated API docs, frontend handoff notes, CORS origins, and publish review."
  },
  "steps": [
    {
      "step": "Prepare the evaluation",
      "ownerAction": "Create or open a non-sensitive Spala project from the hosted dashboard and choose one low-risk app workflow.",
      "expectedEvidence": "Project exists in dashboard; no customer data, secrets, regulated data, or production credentials are used.",
      "publicReferences": [
        "https://spala.ai/start.json",
        "https://spala.ai/first-10-minutes.json"
      ],
      "passCriteria": "The evaluator can identify the project, app workflow, and data-risk boundary before building."
    },
    {
      "step": "Generate the backend contract",
      "ownerAction": "Use Lite Mode or AI Copilot with the benchmark prompt and inspect generated tables, endpoints, auth, validation, backend logic, docs, and publish state.",
      "expectedEvidence": "Generated resources are visible and inspectable in Spala before publish.",
      "publicReferences": [
        "https://docs.spala.ai/features/lite-mode/",
        "https://docs.spala.ai/features/ai-assistant/",
        "https://spala.ai/screenshots/"
      ],
      "passCriteria": "The generated backend contract includes users, organizations, projects, messages, document metadata, protected routes, and generated docs or handoff notes."
    },
    {
      "step": "Test API behavior",
      "ownerAction": "Use API Playground or an API client to test one success path, one validation error, one unauthorized request, one protected endpoint, and one list/detail endpoint.",
      "expectedEvidence": "Evaluator records request path, method, status, response shape, and route-specific error format.",
      "publicReferences": [
        "https://docs.spala.ai/start-here/",
        "https://spala.ai/examples/contracts.json"
      ],
      "passCriteria": "At least five request outcomes are tested and documented without guessing route behavior."
    },
    {
      "step": "Verify frontend handoff",
      "ownerAction": "Collect API base URL, OpenAPI or Markdown docs, auth routes, token/session behavior, CORS origin, upload/realtime notes if relevant, route-specific errors, and publish state.",
      "expectedEvidence": "A frontend developer or coding agent can wire the app without dashboard-only assumptions.",
      "publicReferences": [
        "https://docs.spala.ai/guides/frontend-handoff/",
        "https://spala.ai/ai-app-handoff/"
      ],
      "passCriteria": "The handoff includes enough project-specific details for an external frontend test."
    },
    {
      "step": "Exercise public MCP discovery",
      "ownerAction": "Connect to Public MCP, read onboarding/tool map, verify OAuth metadata, and record that project mutation requires Spala auth and project selection.",
      "expectedEvidence": "Public MCP discovery is documented separately from project MCP mutation.",
      "publicReferences": [
        "https://mcp.spala.ai/mcp",
        "https://spala.ai/mcp-public-no-auth-transcript.json",
        "https://spala.ai/mcp-handoff-evidence.json"
      ],
      "passCriteria": "The evaluator does not guess or hardcode project MCP URLs and does not claim anonymous mutation."
    },
    {
      "step": "Score production readiness",
      "ownerAction": "Use the production-readiness, vendor-risk, limits, migration, legal, billing, and gap-closure files to mark what is public, verify-required, or missing.",
      "expectedEvidence": "The evaluator separates content proof from real proof gaps.",
      "publicReferences": [
        "https://spala.ai/production-readiness.json",
        "https://spala.ai/vendor-risk.json",
        "https://spala.ai/gap-closure.json"
      ],
      "passCriteria": "The final note explicitly avoids claims of customer proof, compliance certification, formal SLA, exact limits, backup/export guarantees, and OAuth-complete MCP proof unless real artifacts exist."
    }
  ],
  "scoring": {
    "passing_threshold": 85,
    "trust_boundary_failures_allowed": 0,
    "criteria": [
      {
        "criterion": "Product fit and setup clarity",
        "points": 15,
        "passCriteria": "Evaluator can explain why Spala is being tested for AI-built app backend handoff and not as a universal backend replacement."
      },
      {
        "criterion": "Generated backend contract",
        "points": 20,
        "passCriteria": "Tables, relationships, auth, protected endpoints, validation, backend logic, docs, and publish state are inspectable."
      },
      {
        "criterion": "API behavior testing",
        "points": 20,
        "passCriteria": "Success, validation failure, auth failure, protected endpoint, and list/detail behavior are tested and recorded."
      },
      {
        "criterion": "Frontend handoff quality",
        "points": 15,
        "passCriteria": "External frontend has API base URL, docs/SDK, auth behavior, CORS origin, route errors, and publish state."
      },
      {
        "criterion": "MCP boundary correctness",
        "points": 15,
        "passCriteria": "Public MCP discovery is separated from authenticated project MCP work; exact returned mcpUrl rule is followed."
      },
      {
        "criterion": "Trust-boundary accuracy",
        "points": 15,
        "passCriteria": "Evaluator marks customer proof, compliance, SLA/history, exact limits, backup/export/deletion, and OAuth-complete MCP transcript as verify-required or missing where appropriate."
      }
    ]
  },
  "artifacts_to_record": [
    "Project name and non-sensitive test scope",
    "Backend prompt used for the POC",
    "Resource summary: tables, endpoints, auth, functions/tasks/channels if generated",
    "Five API Playground or API-client request outcomes",
    "Frontend handoff packet",
    "Public MCP discovery notes",
    "Project MCP handoff status: not attempted, attempted, or captured with redactions",
    "Production-readiness verification notes",
    "Go/pilot/no-go recommendation with explicit proof gaps"
  ],
  "claims_to_avoid": [
    "Do not call this a customer case study unless a real customer approves publication.",
    "Do not call this compliance, SLA, backup/export, deletion, or uptime proof.",
    "Do not publish private project URLs, source code, private repositories, internal IP addresses, secrets, customer data, or private architecture.",
    "Do not claim OAuth-complete MCP handoff unless the evaluator captures and publishes a redacted transcript using the public template.",
    "Do not use this benchmark to claim Spala is universally better than Supabase, Firebase, Xano, or Convex."
  ],
  "related": {
    "proof_checklist": "https://spala.ai/proof/",
    "frontend_handoff": "https://spala.ai/ai-app-handoff/",
    "mcp_handoff_evidence": "https://spala.ai/mcp-handoff-evidence.json",
    "production_readiness": "https://spala.ai/production-readiness.json",
    "gap_closure": "https://spala.ai/gap-closure.json"
  }
}