audd-openapi: drop phantom audd-ruby from dispatch matrix; clarify cron coverage in README

The 'Dispatch to SDKs' workflow had audd-ruby in its matrix — a repo that doesn't exist (we have 11 SDKs: python, node, go, rust, php, swift, kotlin, dotnet, java, c, cpp). Drop it. While there: reorder the remaining 9 to /sdks-page popularity order.

Update the README's contract-drift section to be accurate. The previous wording — 'Each SDK also runs the same tests on a nightly cron as a safety net' — was true for 9 of 11 SDKs but not c/cpp (which validate against fixtures inside their main CI instead, not via a separate contract workflow with cron). Spell out which 9 vs c/cpp.

Author: AudD

.github/workflows/ci.yml

@@ -0,0 +1,43 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  spec-validate:
+    name: OpenAPI spec validation
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: '3.12'
+          cache: pip
+          cache-dependency-path: requirements-dev.txt
+      - name: Install
+        run: pip install -r requirements-dev.txt
+      - name: Validate openapi.yaml structure
+        run: |
+          python -c "
+          import yaml, openapi_spec_validator as v
+          v.validate(yaml.safe_load(open('openapi.yaml')))
+          print('openapi.yaml: structurally valid')
+          "
+      - name: Validate fixtures against spec schemas
+        run: python tests/validate.py
+
+  redocly-lint:
+    name: Redocly lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+      - name: Install redocly
+        run: npm install -g @redocly/cli@1
+      - name: Lint
+        run: redocly lint openapi.yaml

.github/workflows/dispatch.yml

@@ -0,0 +1,53 @@
+name: Dispatch to SDKs
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - 'openapi.yaml'
+      - 'fixtures/**'
+
+permissions: {}
+
+jobs:
+  fan-out:
+    name: Trigger contract tests across SDK repos
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        sdk:
+          - audd-python
+          - audd-node
+          - audd-go
+          - audd-rust
+          - audd-php
+          - audd-swift
+          - audd-kotlin
+          - audd-dotnet
+          - audd-java
+    steps:
+      - name: Generate GitHub App token
+        id: app-token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ secrets.SDK_DISPATCH_APP_ID }}
+          private-key: ${{ secrets.SDK_DISPATCH_APP_PRIVATE_KEY }}
+          owner: AudDMusic
+          repositories: ${{ matrix.sdk }}
+
+      - name: Fire repository_dispatch
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+          SDK_REPO: ${{ matrix.sdk }}
+          TRIGGER_SHA: ${{ github.sha }}
+          TRIGGER_RUN_ID: ${{ github.run_id }}
+        run: |
+          gh api \
+            --method POST \
+            -H "Accept: application/vnd.github+json" \
+            "/repos/AudDMusic/$SDK_REPO/dispatches" \
+            -f event_type=openapi-updated \
+            -f "client_payload[trigger_sha]=$TRIGGER_SHA" \
+            -f "client_payload[trigger_run_id]=$TRIGGER_RUN_ID"
+          echo "dispatched openapi-updated to AudDMusic/$SDK_REPO"

.gitignore

@@ -0,0 +1,11 @@
+__pycache__/
+*.py[cod]
+.venv/
+venv/
+.pytest_cache/
+.mypy_cache/
+.ruff_cache/
+*.egg-info/
+.env
+.DS_Store
+fixtures/raw/*.json

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 AudD, LLC (https://audd.io)
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,60 @@
+# audd-openapi
+
+[![CI](https://github.com/AudDMusic/audd-openapi/actions/workflows/ci.yml/badge.svg)](https://github.com/AudDMusic/audd-openapi/actions/workflows/ci.yml)
+
+The canonical OpenAPI 3.1 specification for the [AudD](https://audd.io) music recognition API.
+
+This repository is the source of truth that all official AudD SDKs build their typed models against. Third parties can also use this spec to generate their own clients.
+
+| File | Purpose |
+|---|---|
+| [`openapi.yaml`](./openapi.yaml) | OpenAPI 3.1 spec covering every public AudD endpoint |
+| [`fixtures/`](./fixtures/) | Real captured API responses, PII scrubbed — used by every SDK's contract tests |
+| [`tests/validate.py`](./tests/validate.py) | Validates each fixture against its schema in `openapi.yaml` |
+| [`tests/capture_fixtures.py`](./tests/capture_fixtures.py) | Re-capture fixtures from the live API (requires an api_token) |
+
+## What's covered
+
+- **Standard recognition** — `POST/GET https://api.audd.io/`
+- **Enterprise recognition** — `POST https://enterprise.audd.io/` (hours- to days-long files)
+- **Stream management** — `setCallbackUrl`, `getCallbackUrl`, `addStream`, `getStreams`, `setStreamUrl`, `deleteStream`
+- **Longpoll** — `GET /longpoll/`
+- **Custom catalog upload** — `POST /upload/` (special access required)
+- **Lyrics search** — `POST /findLyrics/`
+
+The WebSocket recognition variant is intentionally not modeled — AudD recommends the HTTP endpoints for all use cases.
+
+## Validate locally
+
+```bash
+python -m venv .venv
+source .venv/bin/activate
+pip install -r requirements-dev.txt
+python tests/validate.py
+```
+
+To re-capture fixtures from the live API:
+
+```bash
+AUDD_TEST_TOKEN_STD=... AUDD_TEST_TOKEN_ENTERPRISE=... \
+    python tests/capture_fixtures.py
+python tests/scrub_fixtures.py
+```
+
+## Generate a client
+
+This spec is hand-written and validates against real fixtures. You can use it with any OpenAPI-compatible code generator. Note that AudD's official SDKs are hand-written rather than generated — to maximize idiomatic feel in each language — but they validate against this same spec.
+
+## Contract drift detection
+
+When this repo lands a change to `openapi.yaml` or `fixtures/`, a workflow fires `repository_dispatch` events at the nine SDK repos that have a separate contract workflow (audd-python, audd-node, audd-go, audd-rust, audd-php, audd-swift, audd-kotlin, audd-dotnet, audd-java) to re-run their contract tests against the new spec. Those nine SDKs also run the same contract tests on a daily cron at 06:00 UTC as a safety net. The audd-c and audd-cpp SDKs validate their parsers against fixtures inside their main CI build instead.
+
+## License
+
+MIT — see [LICENSE](./LICENSE).
+
+## Support
+
+- Documentation: https://docs.audd.io
+- Tokens: https://dashboard.audd.io
+- Email: api@audd.io

SECURITY.md

@@ -0,0 +1,15 @@
+# Security Policy
+
+## Reporting a vulnerability
+
+If you discover a security issue in this repository, please email **api@audd.io** privately. Do not open a public GitHub issue for security reports.
+
+We will acknowledge receipt within 2 business days and coordinate disclosure with you.
+
+## Scope
+
+- **In scope:** issues in the OpenAPI spec or fixtures hosted in this repository (e.g., a fixture that leaks production data, a spec entry that documents an unsafe pattern).
+- **Out of scope:** vulnerabilities in the per-language SDKs (file those on the corresponding `AudDMusic/audd-<lang>` repo) or in the AudD service / API itself (email **api@audd.io** with subject `AudD service: <summary>`).
+
+This repository contains specification documents and fixtures only — no production code, secrets, or services.
+

fixtures/README.md

@@ -0,0 +1,23 @@
+# Fixtures
+
+Real captured AudD API responses, used as the source of truth for SDK contract tests in every `audd-<lang>` repo.
+
+| File | Source | Endpoint | Notes |
+|---|---|---|---|
+| `recognize_basic.json` | live capture | `POST api.audd.io/` | Standard recognition without metadata |
+| `recognize_with_metadata.json` | live capture | `POST api.audd.io/` | Standard recognition with `return=apple_music,spotify,deezer,napster,musicbrainz` |
+| `recognize_custom_match.json` | synthesized from design spec | `POST api.audd.io/` | Custom-catalog match shape (only `timecode` + `audio_id`) — can't easily capture live without enterprise custom-catalog access |
+| `enterprise_with_isrc_upc.json` | live capture (enterprise token, `limit=1`) | `POST enterprise.audd.io/` | Enterprise success with ISRC and UPC fields |
+| `error_900_invalid_token.json` | live capture | `POST api.audd.io/` | Invalid api_token |
+| `error_700_no_file.json` | live capture | `POST api.audd.io/` | No file or url sent |
+| `error_19_no_callback_url.json` | live capture | `POST api.audd.io/getCallbackUrl/` | The "no callback URL configured" signal — server returns code 19 (catch-all "Internal error") |
+| `error_902_stream_limit.json` | live capture | `POST api.audd.io/addStream/` | Stream slots exhausted on subscription |
+| `error_904_enterprise_unauthorized.json` | live capture | `POST enterprise.audd.io/` | Standard token denied at enterprise endpoint |
+| `getStreams_empty.json` | live capture | `POST api.audd.io/getStreams/` | Empty stream list |
+| `longpoll_no_events.json` | live capture | `GET api.audd.io/longpoll/` | Longpoll timeout response (no new events) |
+| `streams_callback_with_result.json` | from docs.audd.io/streams.md | callback POSTed by AudD to user webhook | Recognition-result variant of the callback payload |
+| `streams_callback_with_notification.json` | from docs.audd.io/streams.md | callback POSTed by AudD to user webhook | Notification variant (stream connectivity) |
+
+Synthesized fixtures match the documented response shapes 1:1; they're called out explicitly so reviewers know which were captured live.
+
+To re-capture: see `tests/capture_fixtures.py`. **Always pass `limit=1` for enterprise endpoint calls.**

fixtures/enterprise_with_isrc_upc.json

@@ -0,0 +1,23 @@
+{
+  "status": "success",
+  "result": [
+    {
+      "songs": [
+        {
+          "score": 81,
+          "artist": "Tears For Fears",
+          "title": "Everybody Wants To Rule The World",
+          "album": "Songs From The Big Chair",
+          "release_date": "2014-11-10",
+          "label": "UMC (Universal Music Catalogue)",
+          "timecode": "00:57",
+          "isrc": "GBUM71403885",
+          "upc": "00602547037169",
+          "song_link": "https://lis.tn/NbkVb"
+        }
+      ],
+      "offset": "00:00"
+    }
+  ],
+  "execution_time": "159.226763ms"
+}

fixtures/error_19_no_callback_url.json

@@ -0,0 +1,14 @@
+{
+  "status": "error",
+  "error": {
+    "error_code": 19,
+    "error_message": "Getting the URL for callbacks failed: Internal error."
+  },
+  "request_params": {
+    "api_token": "d***e"
+  },
+  "request_api_method": "getCallbackUrl",
+  "request_http_method": "POST",
+  "see api documentation": "https://docs.audd.io",
+  "contact us": "api@audd.io"
+}

fixtures/error_700_no_file.json

@@ -0,0 +1,14 @@
+{
+  "status": "error",
+  "error": {
+    "error_code": 700,
+    "error_message": "Recognition failed: you haven't sent a file via POST or a file URL in the `url` parameter. If you sent the request by POST, please check the protocol you're using: the URL should start with https:// (http:// requests get redirected to https and we don't receive any data from you) and that your Content-Type header equals to `multipart/form-data`."
+  },
+  "request_params": {
+    "api_token": "d***e"
+  },
+  "request_api_method": "recognize",
+  "request_http_method": "POST",
+  "see api documentation": "https://docs.audd.io",
+  "contact us": "api@audd.io"
+}