Add OpenAPI-based API Reference anchor to docs.json alongside the existing SDK Reference, pointing to openapi-public.yml spec.

- scripts/envd.py: Merges proto-generated and hand-written specs into a single openapi-public.yml
- scripts/validate_api_reference.py: Validates the spec against the live API across 12 phases

The script now clones e2b-dev/infra at specified commits inside Docker
instead of reading from local paths. Supports separate --envd-commit and
--api-commit flags (defaults to main). Regenerated openapi-public.yml
from latest main.

Sandbox endpoints always require Authorization: Bearer <token> using the
envdAccessToken from sandbox creation. Update generate script to set
required auth, update validate script to always pass token and create
sandboxes with secure: true.

…KEN support

- Keep AccessTokenAuth (type: http, scheme: bearer) for platform endpoints
- Remove /files from AUTH_EXEMPT_ENDPOINTS (only /health is exempt)
- Add E2B_ACCESS_TOKEN env var to validate script for Bearer auth testing
- Pass sandbox access token to /files endpoints in validate script
- Fix sandboxID server variable default to $SANDBOX_ID

- Add bearer_hdr() helper for AccessTokenAuth endpoints
- Read E2B_ACCESS_TOKEN env var for GET /teams and legacy template endpoints
- Discover team ID via GET /teams when Bearer token is available

Generate script (fix_spec_issues):
- Add 'uploaded' to TemplateBuildStatus enum
- Make 'volumeMounts' optional in SandboxDetail/ListedSandbox
- Remove strict LogLevel enum (server sends non-enum values)
- Add mem_used_mib/mem_total_mib to Metrics schema

Validate script:
- Fix /health expected status to 204
- Fix /init expected status to 401 (re-init rejected)
- Remove /v2/sandboxes/{id}/logs test (endpoint doesn't exist)

204 means No Content — don't add application/json schema to these responses.

- POST /v3/templates (202): create template, validate schema, clean up
- POST /v2/templates (202): create template, validate schema, clean up
- PATCH /v2/templates/{templateID} (200): update public field, validate schema
- PATCH /templates/{templateID} (200): deprecated endpoint success test
- POST /v2/.../builds/{buildID} (202): start build on created template
- POST /templates/tags (201): assign tag using existing name:tag target
- DELETE /templates/tags (204): remove test tag
- DELETE /templates/{templateID}: real cleanup of test templates
- GET /templates/{templateID}/tags: discover existing tags in phase 2
- Drop minor findings from report and exit code (CI-oriented)

1. Streaming RPCs: content-type → application/connect+json, add
   Connect-Protocol-Version and Connect-Timeout-Ms headers
2. EndEvent.exitCode: marked deprecated, document status string parsing
3. envdAccessToken: clarify only returned with secure: true, mark nullable
4. LogLevel: fix description ("State of the sandbox" → log severity)
5. Sandbox.domain: mark deprecated (always null)
6. GET /templates/{id}/files/{hash}: change 201 → 200 response

Issues 4 (pagination response) and 5 (DELETE with body) are upstream
API design decisions that cannot be fixed in the spec alone.

Generation script fixes (fix_spec_issues):
- Generate operationId for all 52 platform endpoints
- Remove phantom /v2/sandboxes/{sandboxID}/logs deprecation reference
- Complete truncated 'start'/'end' parameter descriptions on metrics
- Fix sandboxId → sandboxID casing in 502 error schema
- Add security: [] and 'health' tag to GET /health
- Remove YAML anchor overlay on /files responses (DownloadSuccess/UploadSuccess)
- Add type: object to 53 schemas missing it
- Move 'end' param description out of schema to sibling level

Also fix fill_empty_responses to skip $ref responses.

Upstream issues not fixable in spec:
- allow_internet_access snake_case (server field name)
- Duplicate EntryInfo schemas (different APIs)
- Inconsistent error response coverage (API behavior)
- Auth inconsistency across template versions (intentional v1→v2/v3)

Schema fixes:
- EntryInfo.type: add 'directory' to enum (was file-only)
- SandboxMetadata, EnvVars: add type: object (had only additionalProperties)
- TemplateLegacy: add missing 'names' and 'buildStatus' fields
- connect-protocol-version: remove redundant enum (const suffices)
- filesystem.EntryInfo.size: document int/string union type (int64)

Response fixes:
- PATCH /templates/{templateID}: return TemplateUpdateResponse (was empty)
- POST /sandboxes/{sandboxID}/refreshes: add missing 500 response
- GET /health 502: content-type → application/json (was connect+json)

Also fix fill_empty_responses to skip $ref responses.

- Rewrite operationId generator with proper singularization
  (sandboxes→sandbox, not sandboxe)
- Use 'list' prefix for collection GETs (listSandboxes, listTemplates)
- Include version suffix for v2/v3 variants (postTemplatesV3)
- Singularize parent resource when followed by path param
  (GET /sandboxes/{id}/logs → getSandboxLogs)
- Dedup check ensures all 52 platform operationIds are unique

…idebar names

…points, add status mismatch catch-all

- Change DELETE /templates/{templateID} cleanup expected status from 200 to 204
- Remove POST /init test (internal endpoint, not in public spec)
- Remove unauthenticated 401 tests to avoid load balancer rate limiting
- Use account-owned template alias instead of hardcoded 'base' for alias test
- Send no-op Update to process instead of PTY resize (avoids 500 on non-PTY process)
- Add post-processing catch-all that flags any tested endpoint with unexpected status code

…hase 3, update workflow

- Remove 3 endpoints that tested API key against Bearer-only endpoints (just confirmed 401)
- Move GET /templates/aliases/{alias} test to phase 3, use the test template we create there
- Update workflow to generate spec, diff, run validation, and create PR with status indicator