later

validator: refactor everything
validator: move files
2025-03-31 18:24:02 -07:00 · 2025-03-31 18:24:02 -07:00 · 2025-03-31 18:14:08 -07:00 · 2025-03-31 18:13:31 -07:00 · 2025-03-31 18:09:50 -07:00 · 2025-03-31 18:09:25 -07:00
113 changed files with 17352 additions and 7817 deletions
--- a/.drone.yml
+++ b/.drone.yml
@@ -67,7 +67,10 @@ steps:
  - name: deploy
    image: argoproj/argocd:latest
    commands:
-      - echo "Deploy!" # Not going to do actually do this until 
+      - argocd login --grpc-web cd.stricity.com --username $USERNAME --password $PASSWORD
+      - argocd app --grpc-web set ${DRONE_BRANCH}-maps-service --kustomize-image registry.itzana.me/strafesnet/maptest-api:${DRONE_BRANCH}-${DRONE_BUILD_NUMBER}
+      - argocd app --grpc-web set ${DRONE_BRANCH}-maps-service --kustomize-image registry.itzana.me/strafesnet/maptest-frontend:${DRONE_BRANCH}-${DRONE_BUILD_NUMBER}
+      - argocd app --grpc-web set ${DRONE_BRANCH}-maps-service --kustomize-image registry.itzana.me/strafesnet/maptest-validator:${DRONE_BRANCH}-${DRONE_BUILD_NUMBER}
    environment:
      USERNAME:
        from_secret: ARGO_USER
@@ -83,6 +86,6 @@ steps:
        - staging
 ---
 kind: signature
-hmac: 9958fd5b01af1ebcc75f7277fe71eb5336b899445c359cecf1b14e83b3d05059
+hmac: 1162b329a9cad12b4c5db0ccf8b8998072b0de9279326f76a493fd0af6794095

 ...
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,2 @@
-.idea
+.idea
+/target
--- a/validation/Cargo.lock
+++ b/validation/Cargo.lock
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -0,0 +1,6 @@
+[workspace]
+members = [
+	"validation",
+	"validation/api",
+]
+resolver = "2"
--- a/8
+++ b/8
@@ -1,5 +1,5 @@
-maps-service:
-	DOCKER_BUILDKIT=1 docker build . -f Containerfile -t maps-service 
+submissions:
+	DOCKER_BUILDKIT=1 docker build . -f Containerfile -t maps-service-submissions

 web:
 	docker build web -f web/Containerfile -t maps-service-web
@@ -7,6 +7,6 @@ web:
 validation:
 	docker build validation -f validation/Containerfile -t maps-service-validation

-all: maps-service web validation
+all: submissions web validation

-.PHONY: maps-service web validation
+.PHONY: submissions web validation
--- a/README.md
+++ b/README.md
@@ -26,6 +26,12 @@ Prerequisite: golang installed

 Prerequisite: bun installed

+The environment variable `API_HOST` will need to be set for the middleware.
+Example `.env` in web's root:
+```
+API_HOST="http://localhost:8082/v1/"
+```
+
 1. `cd web`
 2. `bun install`

@@ -43,6 +49,12 @@ Prerequisite: rust installed
 1. `cd validation`
 2. `cargo run --release`

+Environment Variables:
+- ROBLOX_GROUP_ID
+- RBXCOOKIE
+- API_HOST_INTERNAL
+- NATS_HOST
+
 #### License

 <sup>
--- a/compose.yaml
+++ b/compose.yaml
@@ -11,15 +11,17 @@ services:
    networks:
      - maps-service-network

-  mapsservice:
+  submissions:
    image:
-      maps-service
-    container_name: mapsservice
+      maps-service-submissions
+    container_name: submissions
    command: [
      # debug
      "--debug","serve",
      # http service port
      "--port","8082",
+      # internal http endpoints
+      "--port-internal","8083",
      # postgres
      "--pg-host","10.0.0.29",
      "--pg-port","5432",
@@ -28,7 +30,8 @@ services:
      "--pg-password","happypostgresuser",
      # other hosts
      "--nats-host","nats:4222",
-      "--auth-rpc-host","authrpc:8081"
+      "--auth-rpc-host","authrpc:8081",
+      "--data-rpc-host","dataservice:9000",
    ]
    depends_on:
      - authrpc
@@ -45,21 +48,24 @@ services:
      - maps-service-network
    ports:
      - "3000:3000"
+    environment:
+      - API_HOST=http://submissions:8082/v1

  validation:
    image:
      maps-service-validation
    container_name: validation
+    env_file:
+      - ../auth-compose/strafesnet_staging.env
    environment:
-      - RBXCOOKIE
-      - API_HOST=http://mapsservice:8082
+      - ROBLOX_GROUP_ID=17032139 # "None" is special case string value
+      - API_HOST_INTERNAL=http://submissions:8083/v1
      - NATS_HOST=nats:4222
-      - DATA_HOST=http://dataservice:9000
    depends_on:
      - nats
-      # note: this races the mapsservice which creates a nats stream
+      # note: this races the submissions which creates a nats stream
      # the validation will panic if the nats stream is not created
-      - mapsservice
+      - submissions
      - dataservice
    networks:
      - maps-service-network
@@ -87,11 +93,12 @@ services:
      - maps-service-network

  authrpc:
-    image: registry.itzana.me/strafesnet/auth-service:master
+    image: registry.itzana.me/strafesnet/auth-service:staging
    container_name: authrpc
    command: ["serve", "rpc"]
    environment:
      - REDIS_ADDR=authredis:6379
+      - RBX_GROUP_ID=17032139
    env_file:
      - ../auth-compose/auth-service.env
    depends_on:
@@ -102,7 +109,7 @@ services:
      driver: "none"

  auth-web:
-    image: registry.itzana.me/strafesnet/auth-service:master
+    image: registry.itzana.me/strafesnet/auth-service:staging
    command: ["serve", "web"]
    environment:
      - REDIS_ADDR=authredis:6379
--- a/generate.go
+++ b/generate.go
@@ -1,3 +1,4 @@
 package main

 //go:generate go run github.com/ogen-go/ogen/cmd/ogen@latest --target pkg/api --clean openapi.yaml
+//go:generate go run github.com/ogen-go/ogen/cmd/ogen@latest --target pkg/internal --clean openapi-internal.yaml
--- a/openapi-internal.yaml
+++ b/openapi-internal.yaml
@@ -0,0 +1,398 @@
+openapi: 3.1.0
+info:
+  title: StrafesNET Internal - OpenAPI 3.1
+  description: Internal operations inaccessible from the public internet.
+  version: 0.1.0
+tags:
+  - name: Submissions
+    description: Submission operations
+paths:
+  /submissions/{SubmissionID}/validated-model:
+    post:
+      summary: Update validated model
+      operationId: updateSubmissionValidatedModel
+      tags:
+        - Submissions
+      parameters:
+        - $ref: '#/components/parameters/SubmissionID'
+        - name: ValidatedModelID
+          in: query
+          required: true
+          schema:
+            type: integer
+            format: int64
+        - name: ValidatedModelVersion
+          in: query
+          required: true
+          schema:
+            type: integer
+            format: int64
+      responses:
+        "204":
+          description: Successful response
+        default:
+          description: General Error
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/Error"
+  /submissions/{SubmissionID}/status/validator-validated:
+    post:
+      summary: (Internal endpoint) Role Validator changes status from Validating -> Validated
+      operationId: actionSubmissionValidated
+      tags:
+        - Submissions
+      parameters:
+        - $ref: '#/components/parameters/SubmissionID'
+      responses:
+        "204":
+          description: Successful response
+        default:
+          description: General Error
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/Error"
+  /submissions/{SubmissionID}/status/validator-failed:
+    post:
+      summary: (Internal endpoint) Role Validator changes status from Validating -> Accepted
+      operationId: actionSubmissionAccepted
+      tags:
+        - Submissions
+      parameters:
+        - $ref: '#/components/parameters/SubmissionID'
+        - name: StatusMessage
+          in: query
+          required: true
+          schema:
+            type: string
+            minLength: 0
+            maxLength: 4096
+      responses:
+        "204":
+          description: Successful response
+        default:
+          description: General Error
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/Error"
+  /submissions/{SubmissionID}/status/validator-uploaded:
+    post:
+      summary: (Internal endpoint) Role Validator changes status from Uploading -> Uploaded
+      operationId: actionSubmissionUploaded
+      tags:
+        - Submissions
+      parameters:
+        - $ref: '#/components/parameters/SubmissionID'
+        - name: UploadedAssetID
+          in: query
+          required: true
+          schema:
+            type: integer
+            format: int64
+      responses:
+        "204":
+          description: Successful response
+        default:
+          description: General Error
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/Error"
+  /script-policy:
+    get:
+      summary: Get list of script policies
+      operationId: listScriptPolicy
+      tags:
+        - ScriptPolicy
+      parameters:
+      - $ref: "#/components/parameters/Page"
+      - $ref: "#/components/parameters/Limit"
+      - name: FromScriptHash
+        in: query
+        schema:
+          type: string
+          minLength: 16
+          maxLength: 16
+      - name: ToScriptID
+        in: query
+        schema:
+          type: integer
+          format: int64
+      - name: Policy
+        in: query
+        schema:
+          type: integer
+          format: int32
+      responses:
+        "200":
+          description: Successful response
+          content:
+            application/json:
+              schema:
+                type: array
+                items:
+                  $ref: "#/components/schemas/ScriptPolicy"
+        default:
+          description: General Error
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/Error"
+    post:
+      summary: Create a new script policy
+      operationId: createScriptPolicy
+      tags:
+        - ScriptPolicy
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/ScriptPolicyCreate'
+      responses:
+        "201":
+          description: Successful response
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/Id"
+        default:
+          description: General Error
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/Error"
+  /scripts:
+    get:
+      summary: Get list of scripts
+      operationId: listScripts
+      tags:
+        - Script
+      parameters:
+      - $ref: "#/components/parameters/Page"
+      - $ref: "#/components/parameters/Limit"
+      - name: Hash
+        in: query
+        schema:
+          type: string
+          minLength: 16
+          maxLength: 16
+      - name: Name
+        in: query
+        schema:
+          type: string
+          maxLength: 128
+      - name: Source
+        in: query
+        schema:
+          type: string
+          maxLength: 1048576
+      - name: SubmissionID
+        in: query
+        schema:
+          type: integer
+          format: int64
+      responses:
+        "200":
+          description: Successful response
+          content:
+            application/json:
+              schema:
+                type: array
+                items:
+                  $ref: "#/components/schemas/Script"
+        default:
+          description: General Error
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/Error"
+    post:
+      summary: Create a new script
+      operationId: createScript
+      tags:
+        - Scripts
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/ScriptCreate'
+      responses:
+        "201":
+          description: Successful response
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/Id"
+        default:
+          description: General Error
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/Error"
+  /scripts/{ScriptID}:
+    get:
+      summary: Get the specified script by ID
+      operationId: getScript
+      tags:
+        - Scripts
+      parameters:
+        - $ref: '#/components/parameters/ScriptID'
+      responses:
+        "200":
+          description: Successful response
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/Script"
+        default:
+          description: General Error
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/Error"
+components:
+  parameters:
+    SubmissionID:
+      name: SubmissionID
+      in: path
+      required: true
+      description: The unique identifier for a submission.
+      schema:
+        type: integer
+        format: int64
+    ScriptID:
+      name: ScriptID
+      in: path
+      required: true
+      description: The unique identifier for a script.
+      schema:
+        type: integer
+        format: int64
+    Page:
+      name: Page
+      in: query
+      required: true
+      schema:
+        type: integer
+        format: int32
+        minimum: 1
+    Limit:
+      name: Limit
+      in: query
+      required: true
+      schema:
+        type: integer
+        format: int32
+        minimum: 1
+        maximum: 100
+  schemas:
+    Id:
+      required:
+      - ID
+      type: object
+      properties:
+        ID:
+          type: integer
+          format: int64
+    Script:
+      required:
+      - ID
+      - Name
+      - Hash
+      - Source
+      - ResourceType
+      - ResourceID
+      type: object
+      properties:
+        ID:
+          type: integer
+          format: int64
+        Name:
+          type: string
+          maxLength: 128
+        Hash:
+          type: string
+          minLength: 16
+          maxLength: 16
+        Source:
+          type: string
+          maxLength: 1048576
+        ResourceType:
+          type: integer
+          format: int32
+        ResourceID:
+          type: integer
+          format: int64
+    ScriptCreate:
+      required:
+      - Name
+      - Source
+      - ResourceType
+#     - ResourceID
+      type: object
+      properties:
+        Name:
+          type: string
+          maxLength: 128
+        Source:
+          type: string
+          maxLength: 1048576
+        ResourceType:
+          type: integer
+          format: int32
+        ResourceID:
+          type: integer
+          format: int64
+    ScriptPolicy:
+      required:
+      - ID
+      - FromScriptHash
+      - ToScriptID
+      - Policy
+      type: object
+      properties:
+        ID:
+          type: integer
+          format: int64
+        FromScriptHash:
+          type: string
+          minLength: 16
+          maxLength: 16
+        ToScriptID:
+          type: integer
+          format: int64
+        Policy:
+          type: integer
+          format: int32
+    ScriptPolicyCreate:
+      required:
+      - FromScriptID
+      - ToScriptID
+      - Policy
+      type: object
+      properties:
+        FromScriptID:
+          type: integer
+          format: int64
+        ToScriptID:
+          type: integer
+          format: int64
+        Policy:
+          type: integer
+          format: int32
+    Error:
+      description: Represents error object
+      type: object
+      properties:
+        code:
+          type: integer
+          format: int64
+        message:
+          type: string
+      required:
+        - code
+        - message
--- a/openapi.yaml
+++ b/openapi.yaml
@@ -6,34 +6,104 @@ info:
 servers:
  - url: https://submissions.strafes.net/v1
 tags:
+  - name: Session
+    description: Session operations
  - name: Submissions
    description: Submission operations
  - name: Scripts
    description: Script operations
  - name: ScriptPolicy
    description: Script policy operations
+security:
+  - cookieAuth: []
 paths:
+  /session/user:
+    get:
+      summary: Get information about the currently logged in user
+      operationId: sessionUser
+      tags:
+        - Session
+      responses:
+        "200":
+          description: Successful response
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/User"
+        default:
+          description: General Error
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/Error"
+  /session/roles:
+    get:
+      summary: Get list of roles for the current session
+      operationId: sessionRoles
+      tags:
+        - Session
+      responses:
+        "200":
+          description: Successful response
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/Roles"
+        default:
+          description: General Error
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/Error"
+  /session/validate:
+    get:
+      summary: Ask if the current session is valid
+      operationId: sessionValidate
+      tags:
+        - Session
+      responses:
+        "200":
+          description: Successful response
+          content:
+            application/json:
+              schema:
+                type: boolean
+        default:
+          description: General Error
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/Error"
  /submissions:
    get:
      summary: Get list of submissions
      operationId: listSubmissions
      tags:
        - Submissions
-      requestBody:
-        required: true
-        content:
-          application/json:
-            schema:
-              required:
-              - Page
-              type: object
-              properties:
-                Page:
-                  $ref: "#/components/schemas/Pagination"
-                Filter:
-                  $ref: "#/components/schemas/SubmissionFilter"
-      security:
-      - cookieAuth: []
+      security: []
+      parameters:
+      - $ref: "#/components/parameters/Page"
+      - $ref: "#/components/parameters/Limit"
+      - name: DisplayName
+        in: query
+        schema:
+          type: string
+          maxLength: 128
+      - name: Creator
+        in: query
+        schema:
+          type: string
+          maxLength: 128
+      - name: GameID
+        in: query
+        schema:
+          type: integer
+          format: int32
+      - name: Sort
+        in: query
+        schema:
+          type: integer
+          format: int32
      responses:
        "200":
          description: Successful response
@@ -60,8 +130,6 @@ paths:
          application/json:
            schema:
              $ref: '#/components/schemas/SubmissionCreate'
-      security:
-      - cookieAuth: []
      responses:
        "201":
          description: Successful response
@@ -81,10 +149,9 @@ paths:
      operationId: getSubmission
      tags:
        - Submissions
+      security: []
      parameters:
        - $ref: '#/components/parameters/SubmissionID'
-      security:
-      - cookieAuth: []
      responses:
        "200":
          description: Successful response
@@ -118,8 +185,6 @@ paths:
          schema:
            type: integer
            format: int64
-      security:
-      - cookieAuth: []
      responses:
        "204":
          description: Successful response
@@ -131,14 +196,12 @@ paths:
                $ref: "#/components/schemas/Error"
  /submissions/{SubmissionID}/completed:
    post:
-      summary: Retrieve map with ID
+      summary: Called by maptest when a player completes the map
      operationId: setSubmissionCompleted
      tags:
        - Submissions
      parameters:
        - $ref: '#/components/parameters/SubmissionID'
-      security:
-      - cookieAuth: []
      responses:
        "204":
          description: Successful response
@@ -156,8 +219,6 @@ paths:
        - Submissions
      parameters:
        - $ref: '#/components/parameters/SubmissionID'
-      security:
-      - cookieAuth: []
      responses:
        "204":
          description: Successful response
@@ -175,8 +236,6 @@ paths:
        - Submissions
      parameters:
        - $ref: '#/components/parameters/SubmissionID'
-      security:
-      - cookieAuth: []
      responses:
        "204":
          description: Successful response
@@ -188,14 +247,46 @@ paths:
                $ref: "#/components/schemas/Error"
  /submissions/{SubmissionID}/status/trigger-validate:
    post:
-      summary: Role Reviewer triggers validation and changes status from Submitted|Accepted -> Validating
+      summary: Role Reviewer triggers validation and changes status from Submitted -> Validating
      operationId: actionSubmissionTriggerValidate
      tags:
        - Submissions
      parameters:
        - $ref: '#/components/parameters/SubmissionID'
-      security:
-      - cookieAuth: []
+      responses:
+        "204":
+          description: Successful response
+        default:
+          description: General Error
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/Error"
+  /submissions/{SubmissionID}/status/retry-validate:
+    post:
+      summary: Role Reviewer re-runs validation and changes status from Accepted -> Validating
+      operationId: actionSubmissionRetryValidate
+      tags:
+        - Submissions
+      parameters:
+        - $ref: '#/components/parameters/SubmissionID'
+      responses:
+        "204":
+          description: Successful response
+        default:
+          description: General Error
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/Error"
+  /submissions/{SubmissionID}/status/reset-validating:
+    post:
+      summary: Role Reviewer manually resets validating softlock and changes status from Validating -> Accepted
+      operationId: actionSubmissionAccepted
+      tags:
+        - Submissions
+      parameters:
+        - $ref: '#/components/parameters/SubmissionID'
      responses:
        "204":
          description: Successful response
@@ -213,8 +304,6 @@ paths:
        - Submissions
      parameters:
        - $ref: '#/components/parameters/SubmissionID'
-      security:
-      - cookieAuth: []
      responses:
        "204":
          description: Successful response
@@ -232,8 +321,6 @@ paths:
        - Submissions
      parameters:
        - $ref: '#/components/parameters/SubmissionID'
-      security:
-      - cookieAuth: []
      responses:
        "204":
          description: Successful response
@@ -243,10 +330,10 @@ paths:
            application/json:
              schema:
                $ref: "#/components/schemas/Error"
-  /submissions/{SubmissionID}/status/validator-validated:
+  /submissions/{SubmissionID}/status/trigger-upload:
    post:
-      summary: (Internal endpoint) Role Validator changes status from Validating -> Validated
-      operationId: actionSubmissionValidate
+      summary: Role Admin changes status from Validated -> Uploading
+      operationId: actionSubmissionTriggerUpload
      tags:
        - Submissions
      parameters:
@@ -260,10 +347,10 @@ paths:
            application/json:
              schema:
                $ref: "#/components/schemas/Error"
-  /submissions/{SubmissionID}/status/validator-published:
+  /submissions/{SubmissionID}/status/reset-uploading:
    post:
-      summary: (Internal endpoint) Role Validator changes status from Publishing -> Published
-      operationId: actionSubmissionPublish
+      summary: Role Admin manually resets uploading softlock and changes status from Uploading -> Validated
+      operationId: actionSubmissionValidated
      tags:
        - Submissions
      parameters:
@@ -277,18 +364,24 @@ paths:
            application/json:
              schema:
                $ref: "#/components/schemas/Error"
-  /submissions/{SubmissionID}/status/trigger-publish:
+  /release-submissions:
    post:
-      summary: Role Admin changes status from Validated -> Publishing
-      operationId: actionSubmissionTriggerPublish
+      summary: Release a set of uploaded maps
+      operationId: releaseSubmissions
      tags:
        - Submissions
-      parameters:
-        - $ref: '#/components/parameters/SubmissionID'
-      security:
-      - cookieAuth: []
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              type: array
+              minItems: 1
+              maxItems: 255
+              items:
+                $ref: '#/components/schemas/ReleaseInfo'
      responses:
-        "204":
+        "201":
          description: Successful response
        default:
          description: General Error
@@ -302,21 +395,26 @@ paths:
      operationId: listScriptPolicy
      tags:
        - ScriptPolicy
-      requestBody:
-        required: true
-        content:
-          application/json:
-            schema:
-              required:
-              - Page
-              type: object
-              properties:
-                Page:
-                  $ref: "#/components/schemas/Pagination"
-                Filter:
-                  $ref: "#/components/schemas/ScriptPolicyFilter"
-      security:
-      - cookieAuth: []
+      security: []
+      parameters:
+      - $ref: "#/components/parameters/Page"
+      - $ref: "#/components/parameters/Limit"
+      - name: FromScriptHash
+        in: query
+        schema:
+          type: string
+          minLength: 16
+          maxLength: 16
+      - name: ToScriptID
+        in: query
+        schema:
+          type: integer
+          format: int64
+      - name: Policy
+        in: query
+        schema:
+          type: integer
+          format: int32
      responses:
        "200":
          description: Successful response
@@ -343,8 +441,6 @@ paths:
          application/json:
            schema:
              $ref: '#/components/schemas/ScriptPolicyCreate'
-      security:
-      - cookieAuth: []
      responses:
        "201":
          description: Successful response
@@ -358,45 +454,15 @@ paths:
            application/json:
              schema:
                $ref: "#/components/schemas/Error"
-  /script-policy/hash/{FromScriptHash}:
-    get:
-      summary: Get the policy for the given hash of script source code
-      operationId: getScriptPolicyFromHash
-      tags:
-        - ScriptPolicy
-      parameters:
-        - name: FromScriptHash
-          in: path
-          required: true
-          schema:
-            type: string
-            minLength: 16
-            maxLength: 16
-      security:
-      - cookieAuth: []
-      responses:
-        "200":
-          description: Successful response
-          content:
-            application/json:
-              schema:
-                $ref: "#/components/schemas/ScriptPolicy"
-        default:
-          description: General Error
-          content:
-            application/json:
-              schema:
-                $ref: "#/components/schemas/Error"
-  /script-policy/id/{ScriptPolicyID}:
+  /script-policy/{ScriptPolicyID}:
    get:
      summary: Get the specified script policy by ID
      operationId: getScriptPolicy
      tags:
        - ScriptPolicy
+      security: []
      parameters:
        - $ref: '#/components/parameters/ScriptPolicyID'
-      security:
-      - cookieAuth: []
      responses:
        "200":
          description: Successful response
@@ -423,8 +489,6 @@ paths:
          application/json:
            schema:
              $ref: '#/components/schemas/ScriptPolicyUpdate'
-      security:
-      - cookieAuth: []
      responses:
        "204":
          description: Successful response
@@ -441,8 +505,6 @@ paths:
        - ScriptPolicy
      parameters:
        - $ref: '#/components/parameters/ScriptPolicyID'
-      security:
-      - cookieAuth: []
      responses:
        "204":
          description: Successful response
@@ -453,6 +515,51 @@ paths:
              schema:
                $ref: "#/components/schemas/Error"
  /scripts:
+    get:
+      summary: Get list of scripts
+      operationId: listScripts
+      tags:
+        - Script
+      security: []
+      parameters:
+      - $ref: "#/components/parameters/Page"
+      - $ref: "#/components/parameters/Limit"
+      - name: Hash
+        in: query
+        schema:
+          type: string
+          minLength: 16
+          maxLength: 16
+      - name: Name
+        in: query
+        schema:
+          type: string
+          maxLength: 128
+      - name: Source
+        in: query
+        schema:
+          type: string
+          maxLength: 1048576
+      - name: SubmissionID
+        in: query
+        schema:
+          type: integer
+          format: int64
+      responses:
+        "200":
+          description: Successful response
+          content:
+            application/json:
+              schema:
+                type: array
+                items:
+                  $ref: "#/components/schemas/Script"
+        default:
+          description: General Error
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/Error"
    post:
      summary: Create a new script
      operationId: createScript
@@ -464,8 +571,6 @@ paths:
          application/json:
            schema:
              $ref: '#/components/schemas/ScriptCreate'
-      security:
-      - cookieAuth: []
      responses:
        "201":
          description: Successful response
@@ -485,10 +590,9 @@ paths:
      operationId: getScript
      tags:
        - Scripts
+      security: []
      parameters:
        - $ref: '#/components/parameters/ScriptID'
-      security:
-      - cookieAuth: []
      responses:
        "200":
          description: Successful response
@@ -515,8 +619,6 @@ paths:
          application/json:
            schema:
              $ref: '#/components/schemas/ScriptUpdate'
-      security:
-      - cookieAuth: []
      responses:
        "204":
          description: Successful response
@@ -533,8 +635,6 @@ paths:
        - Scripts
      parameters:
        - $ref: '#/components/parameters/ScriptID'
-      security:
-      - cookieAuth: []
      responses:
        "204":
          description: Successful response
@@ -575,6 +675,23 @@ components:
      schema:
        type: integer
        format: int64
+    Page:
+      name: Page
+      in: query
+      required: true
+      schema:
+        type: integer
+        format: int32
+        minimum: 1
+    Limit:
+      name: Limit
+      in: query
+      required: true
+      schema:
+        type: integer
+        format: int32
+        minimum: 1
+        maximum: 100
  schemas:
    Id:
      required:
@@ -584,6 +701,30 @@ components:
        ID:
          type: integer
          format: int64
+    Roles:
+      required:
+      - Roles
+      type: object
+      properties:
+        Roles:
+          type: integer
+          format: int32
+    User:
+      required:
+      - UserID
+      - Username
+      - AvatarURL
+      type: object
+      properties:
+        UserID:
+          type: integer
+          format: int64
+        Username:
+          type: string
+          maxLength: 128
+        AvatarURL:
+          type: string
+          maxLength: 256
    Submission:
      required:
      - ID
@@ -596,9 +737,9 @@ components:
      - AssetID
      - AssetVersion
      - Completed
-      - SubmissionType
-#     - TargetAssetID
+#     - UploadedAssetID
      - StatusID
+      - StatusMessage
      type: object
      properties:
        ID:
@@ -630,32 +771,15 @@ components:
          format: int64
        Completed:
          type: boolean
-        SubmissionType:
-          type: integer
-          format: int32
-        TargetAssetID:
+        UploadedAssetID:
          type: integer
          format: int64
        StatusID:
          type: integer
          format: int32
-    SubmissionFilter:
-      required:
-      - ID
-      type: object
-      properties:
-        ID:
-          type: integer
-          format: int64
-        DisplayName:
+        StatusMessage:
          type: string
-          maxLength: 128
-        Creator:
-          type: string
-          maxLength: 128
-        GameID:
-          type: integer
-          format: int32
+          maxLength: 256
    SubmissionCreate:
      required:
      - DisplayName
@@ -663,7 +787,6 @@ components:
      - GameID
      - AssetID
      - AssetVersion
-#     - TargetAssetID
      type: object
      properties:
        DisplayName:
@@ -681,20 +804,34 @@ components:
        AssetVersion:
          type: integer
          format: int64
-        TargetAssetID:
+    ReleaseInfo:
+      required:
+      - SubmissionID
+      - Date
+      type: object
+      properties:
+        SubmissionID:
          type: integer
          format: int64
+        Date:
+          type: string
+          format: date-time
    Script:
      required:
      - ID
+      - Name
      - Hash
      - Source
-      - SubmissionID
+      - ResourceType
+      - ResourceID
      type: object
      properties:
        ID:
          type: integer
          format: int64
+        Name:
+          type: string
+          maxLength: 128
        Hash:
          type: string
          minLength: 16
@@ -702,19 +839,30 @@ components:
        Source:
          type: string
          maxLength: 1048576
-        SubmissionID:
+        ResourceType:
+          type: integer
+          format: int32
+        ResourceID:
          type: integer
          format: int64
    ScriptCreate:
      required:
+      - Name
      - Source
-#     - SubmissionID
+      - ResourceType
+#     - ResourceID
      type: object
      properties:
+        Name:
+          type: string
+          maxLength: 128
        Source:
          type: string
          maxLength: 1048576
-        SubmissionID:
+        ResourceType:
+          type: integer
+          format: int32
+        ResourceID:
          type: integer
          format: int64
    ScriptUpdate:
@@ -725,10 +873,16 @@ components:
        ID:
          type: integer
          format: int64
+        Name:
+          type: string
+          maxLength: 128
        Source:
          type: string
          maxLength: 1048576
-        SubmissionID:
+        ResourceType:
+          type: integer
+          format: int32
+        ResourceID:
          type: integer
          format: int64
    ScriptPolicy:
@@ -752,22 +906,6 @@ components:
        Policy:
          type: integer
          format: int32
-    ScriptPolicyFilter:
-      type: object
-      properties:
-        ID:
-          type: integer
-          format: int64
-        FromScriptHash:
-          type: string
-          minLength: 16
-          maxLength: 16
-        ToScriptID:
-          type: integer
-          format: int64
-        Policy:
-          type: integer
-          format: int32
    ScriptPolicyCreate:
      required:
      - FromScriptID
@@ -801,21 +939,6 @@ components:
        Policy:
          type: integer
          format: int32
-    Pagination:
-      type: object
-      required:
-        - Page
-        - Limit
-      properties:
-        Page:
-          type: integer
-          format: int32
-          minimum: 1
-        Limit:
-          type: integer
-          format: int32
-          minimum: 1
-          maximum: 100
    Error:
      description: Represents error object
      type: object
--- a/pkg/api/oas_client_gen.go
+++ b/pkg/api/oas_client_gen.go
--- a/pkg/api/oas_handlers_gen.go
+++ b/pkg/api/oas_handlers_gen.go
--- a/pkg/api/oas_json_gen.go
+++ b/pkg/api/oas_json_gen.go
--- a/pkg/api/oas_operations_gen.go
+++ b/pkg/api/oas_operations_gen.go
@@ -6,14 +6,15 @@ package api
 type OperationName = string

 const (
-	ActionSubmissionPublishOperation         OperationName = "ActionSubmissionPublish"
+	ActionSubmissionAcceptedOperation        OperationName = "ActionSubmissionAccepted"
 	ActionSubmissionRejectOperation          OperationName = "ActionSubmissionReject"
 	ActionSubmissionRequestChangesOperation  OperationName = "ActionSubmissionRequestChanges"
+	ActionSubmissionRetryValidateOperation   OperationName = "ActionSubmissionRetryValidate"
 	ActionSubmissionRevokeOperation          OperationName = "ActionSubmissionRevoke"
 	ActionSubmissionSubmitOperation          OperationName = "ActionSubmissionSubmit"
-	ActionSubmissionTriggerPublishOperation  OperationName = "ActionSubmissionTriggerPublish"
+	ActionSubmissionTriggerUploadOperation   OperationName = "ActionSubmissionTriggerUpload"
 	ActionSubmissionTriggerValidateOperation OperationName = "ActionSubmissionTriggerValidate"
-	ActionSubmissionValidateOperation        OperationName = "ActionSubmissionValidate"
+	ActionSubmissionValidatedOperation       OperationName = "ActionSubmissionValidated"
 	CreateScriptOperation                    OperationName = "CreateScript"
 	CreateScriptPolicyOperation              OperationName = "CreateScriptPolicy"
 	CreateSubmissionOperation                OperationName = "CreateSubmission"
@@ -21,10 +22,14 @@ const (
 	DeleteScriptPolicyOperation              OperationName = "DeleteScriptPolicy"
 	GetScriptOperation                       OperationName = "GetScript"
 	GetScriptPolicyOperation                 OperationName = "GetScriptPolicy"
-	GetScriptPolicyFromHashOperation         OperationName = "GetScriptPolicyFromHash"
 	GetSubmissionOperation                   OperationName = "GetSubmission"
 	ListScriptPolicyOperation                OperationName = "ListScriptPolicy"
+	ListScriptsOperation                     OperationName = "ListScripts"
 	ListSubmissionsOperation                 OperationName = "ListSubmissions"
+	ReleaseSubmissionsOperation              OperationName = "ReleaseSubmissions"
+	SessionRolesOperation                    OperationName = "SessionRoles"
+	SessionUserOperation                     OperationName = "SessionUser"
+	SessionValidateOperation                 OperationName = "SessionValidate"
 	SetSubmissionCompletedOperation          OperationName = "SetSubmissionCompleted"
 	UpdateScriptOperation                    OperationName = "UpdateScript"
 	UpdateScriptPolicyOperation              OperationName = "UpdateScriptPolicy"
--- a/pkg/api/oas_parameters_gen.go
+++ b/pkg/api/oas_parameters_gen.go
--- a/pkg/api/oas_request_decoders_gen.go
+++ b/pkg/api/oas_request_decoders_gen.go
@@ -220,8 +220,8 @@ func (s *Server) decodeCreateSubmissionRequest(r *http.Request) (
 	}
 }

-func (s *Server) decodeListScriptPolicyRequest(r *http.Request) (
-	req *ListScriptPolicyReq,
+func (s *Server) decodeReleaseSubmissionsRequest(r *http.Request) (
+	req []ReleaseInfo,
 	close func() error,
 	rerr error,
 ) {
@@ -260,9 +260,17 @@ func (s *Server) decodeListScriptPolicyRequest(r *http.Request) (

 		d := jx.DecodeBytes(buf)

-		var request ListScriptPolicyReq
+		var request []ReleaseInfo
 		if err := func() error {
-			if err := request.Decode(d); err != nil {
+			request = make([]ReleaseInfo, 0)
+			if err := d.Arr(func(d *jx.Decoder) error {
+				var elem ReleaseInfo
+				if err := elem.Decode(d); err != nil {
+					return err
+				}
+				request = append(request, elem)
+				return nil
+			}); err != nil {
 				return err
 			}
 			if err := d.Skip(); err != io.EOF {
@@ -278,85 +286,22 @@ func (s *Server) decodeListScriptPolicyRequest(r *http.Request) (
 			return req, close, err
 		}
 		if err := func() error {
-			if err := request.Validate(); err != nil {
-				return err
+			if request == nil {
+				return errors.New("nil is invalid value")
+			}
+			if err := (validate.Array{
+				MinLength:    1,
+				MinLengthSet: true,
+				MaxLength:    255,
+				MaxLengthSet: true,
+			}).ValidateLength(len(request)); err != nil {
+				return errors.Wrap(err, "array")
 			}
 			return nil
 		}(); err != nil {
 			return req, close, errors.Wrap(err, "validate")
 		}
-		return &request, close, nil
-	default:
-		return req, close, validate.InvalidContentType(ct)
-	}
-}
-
-func (s *Server) decodeListSubmissionsRequest(r *http.Request) (
-	req *ListSubmissionsReq,
-	close func() error,
-	rerr error,
-) {
-	var closers []func() error
-	close = func() error {
-		var merr error
-		// Close in reverse order, to match defer behavior.
-		for i := len(closers) - 1; i >= 0; i-- {
-			c := closers[i]
-			merr = multierr.Append(merr, c())
-		}
-		return merr
-	}
-	defer func() {
-		if rerr != nil {
-			rerr = multierr.Append(rerr, close())
-		}
-	}()
-	ct, _, err := mime.ParseMediaType(r.Header.Get("Content-Type"))
-	if err != nil {
-		return req, close, errors.Wrap(err, "parse media type")
-	}
-	switch {
-	case ct == "application/json":
-		if r.ContentLength == 0 {
-			return req, close, validate.ErrBodyRequired
-		}
-		buf, err := io.ReadAll(r.Body)
-		if err != nil {
-			return req, close, err
-		}
-
-		if len(buf) == 0 {
-			return req, close, validate.ErrBodyRequired
-		}
-
-		d := jx.DecodeBytes(buf)
-
-		var request ListSubmissionsReq
-		if err := func() error {
-			if err := request.Decode(d); err != nil {
-				return err
-			}
-			if err := d.Skip(); err != io.EOF {
-				return errors.New("unexpected trailing data")
-			}
-			return nil
-		}(); err != nil {
-			err = &ogenerrors.DecodeBodyError{
-				ContentType: ct,
-				Body:        buf,
-				Err:         err,
-			}
-			return req, close, err
-		}
-		if err := func() error {
-			if err := request.Validate(); err != nil {
-				return err
-			}
-			return nil
-		}(); err != nil {
-			return req, close, errors.Wrap(err, "validate")
-		}
-		return &request, close, nil
+		return request, close, nil
 	default:
 		return req, close, validate.InvalidContentType(ct)
 	}
--- a/pkg/api/oas_request_encoders_gen.go
+++ b/pkg/api/oas_request_encoders_gen.go
@@ -53,28 +53,18 @@ func encodeCreateSubmissionRequest(
 	return nil
 }

-func encodeListScriptPolicyRequest(
-	req *ListScriptPolicyReq,
+func encodeReleaseSubmissionsRequest(
+	req []ReleaseInfo,
 	r *http.Request,
 ) error {
 	const contentType = "application/json"
 	e := new(jx.Encoder)
 	{
-		req.Encode(e)
-	}
-	encoded := e.Bytes()
-	ht.SetBody(r, bytes.NewReader(encoded), contentType)
-	return nil
-}
-
-func encodeListSubmissionsRequest(
-	req *ListSubmissionsReq,
-	r *http.Request,
-) error {
-	const contentType = "application/json"
-	e := new(jx.Encoder)
-	{
-		req.Encode(e)
+		e.ArrStart()
+		for _, elem := range req {
+			elem.Encode(e)
+		}
+		e.ArrEnd()
 	}
 	encoded := e.Bytes()
 	ht.SetBody(r, bytes.NewReader(encoded), contentType)
--- a/pkg/api/oas_response_decoders_gen.go
+++ b/pkg/api/oas_response_decoders_gen.go
@@ -15,11 +15,11 @@ import (
 	"github.com/ogen-go/ogen/validate"
 )

-func decodeActionSubmissionPublishResponse(resp *http.Response) (res *ActionSubmissionPublishNoContent, _ error) {
+func decodeActionSubmissionAcceptedResponse(resp *http.Response) (res *ActionSubmissionAcceptedNoContent, _ error) {
 	switch resp.StatusCode {
 	case 204:
 		// Code 204.
-		return &ActionSubmissionPublishNoContent{}, nil
+		return &ActionSubmissionAcceptedNoContent{}, nil
 	}
 	// Convenient error response.
 	defRes, err := func() (res *ErrorStatusCode, err error) {
@@ -168,6 +168,57 @@ func decodeActionSubmissionRequestChangesResponse(resp *http.Response) (res *Act
 	return res, errors.Wrap(defRes, "error")
 }

+func decodeActionSubmissionRetryValidateResponse(resp *http.Response) (res *ActionSubmissionRetryValidateNoContent, _ error) {
+	switch resp.StatusCode {
+	case 204:
+		// Code 204.
+		return &ActionSubmissionRetryValidateNoContent{}, nil
+	}
+	// Convenient error response.
+	defRes, err := func() (res *ErrorStatusCode, err error) {
+		ct, _, err := mime.ParseMediaType(resp.Header.Get("Content-Type"))
+		if err != nil {
+			return res, errors.Wrap(err, "parse media type")
+		}
+		switch {
+		case ct == "application/json":
+			buf, err := io.ReadAll(resp.Body)
+			if err != nil {
+				return res, err
+			}
+			d := jx.DecodeBytes(buf)
+
+			var response Error
+			if err := func() error {
+				if err := response.Decode(d); err != nil {
+					return err
+				}
+				if err := d.Skip(); err != io.EOF {
+					return errors.New("unexpected trailing data")
+				}
+				return nil
+			}(); err != nil {
+				err = &ogenerrors.DecodeBodyError{
+					ContentType: ct,
+					Body:        buf,
+					Err:         err,
+				}
+				return res, err
+			}
+			return &ErrorStatusCode{
+				StatusCode: resp.StatusCode,
+				Response:   response,
+			}, nil
+		default:
+			return res, validate.InvalidContentType(ct)
+		}
+	}()
+	if err != nil {
+		return res, errors.Wrapf(err, "default (code %d)", resp.StatusCode)
+	}
+	return res, errors.Wrap(defRes, "error")
+}
+
 func decodeActionSubmissionRevokeResponse(resp *http.Response) (res *ActionSubmissionRevokeNoContent, _ error) {
 	switch resp.StatusCode {
 	case 204:
@@ -270,11 +321,11 @@ func decodeActionSubmissionSubmitResponse(resp *http.Response) (res *ActionSubmi
 	return res, errors.Wrap(defRes, "error")
 }

-func decodeActionSubmissionTriggerPublishResponse(resp *http.Response) (res *ActionSubmissionTriggerPublishNoContent, _ error) {
+func decodeActionSubmissionTriggerUploadResponse(resp *http.Response) (res *ActionSubmissionTriggerUploadNoContent, _ error) {
 	switch resp.StatusCode {
 	case 204:
 		// Code 204.
-		return &ActionSubmissionTriggerPublishNoContent{}, nil
+		return &ActionSubmissionTriggerUploadNoContent{}, nil
 	}
 	// Convenient error response.
 	defRes, err := func() (res *ErrorStatusCode, err error) {
@@ -372,11 +423,11 @@ func decodeActionSubmissionTriggerValidateResponse(resp *http.Response) (res *Ac
 	return res, errors.Wrap(defRes, "error")
 }

-func decodeActionSubmissionValidateResponse(resp *http.Response) (res *ActionSubmissionValidateNoContent, _ error) {
+func decodeActionSubmissionValidatedResponse(resp *http.Response) (res *ActionSubmissionValidatedNoContent, _ error) {
 	switch resp.StatusCode {
 	case 204:
 		// Code 204.
-		return &ActionSubmissionValidateNoContent{}, nil
+		return &ActionSubmissionValidatedNoContent{}, nil
 	}
 	// Convenient error response.
 	defRes, err := func() (res *ErrorStatusCode, err error) {
@@ -958,98 +1009,6 @@ func decodeGetScriptPolicyResponse(resp *http.Response) (res *ScriptPolicy, _ er
 	return res, errors.Wrap(defRes, "error")
 }

-func decodeGetScriptPolicyFromHashResponse(resp *http.Response) (res *ScriptPolicy, _ error) {
-	switch resp.StatusCode {
-	case 200:
-		// Code 200.
-		ct, _, err := mime.ParseMediaType(resp.Header.Get("Content-Type"))
-		if err != nil {
-			return res, errors.Wrap(err, "parse media type")
-		}
-		switch {
-		case ct == "application/json":
-			buf, err := io.ReadAll(resp.Body)
-			if err != nil {
-				return res, err
-			}
-			d := jx.DecodeBytes(buf)
-
-			var response ScriptPolicy
-			if err := func() error {
-				if err := response.Decode(d); err != nil {
-					return err
-				}
-				if err := d.Skip(); err != io.EOF {
-					return errors.New("unexpected trailing data")
-				}
-				return nil
-			}(); err != nil {
-				err = &ogenerrors.DecodeBodyError{
-					ContentType: ct,
-					Body:        buf,
-					Err:         err,
-				}
-				return res, err
-			}
-			// Validate response.
-			if err := func() error {
-				if err := response.Validate(); err != nil {
-					return err
-				}
-				return nil
-			}(); err != nil {
-				return res, errors.Wrap(err, "validate")
-			}
-			return &response, nil
-		default:
-			return res, validate.InvalidContentType(ct)
-		}
-	}
-	// Convenient error response.
-	defRes, err := func() (res *ErrorStatusCode, err error) {
-		ct, _, err := mime.ParseMediaType(resp.Header.Get("Content-Type"))
-		if err != nil {
-			return res, errors.Wrap(err, "parse media type")
-		}
-		switch {
-		case ct == "application/json":
-			buf, err := io.ReadAll(resp.Body)
-			if err != nil {
-				return res, err
-			}
-			d := jx.DecodeBytes(buf)
-
-			var response Error
-			if err := func() error {
-				if err := response.Decode(d); err != nil {
-					return err
-				}
-				if err := d.Skip(); err != io.EOF {
-					return errors.New("unexpected trailing data")
-				}
-				return nil
-			}(); err != nil {
-				err = &ogenerrors.DecodeBodyError{
-					ContentType: ct,
-					Body:        buf,
-					Err:         err,
-				}
-				return res, err
-			}
-			return &ErrorStatusCode{
-				StatusCode: resp.StatusCode,
-				Response:   response,
-			}, nil
-		default:
-			return res, validate.InvalidContentType(ct)
-		}
-	}()
-	if err != nil {
-		return res, errors.Wrapf(err, "default (code %d)", resp.StatusCode)
-	}
-	return res, errors.Wrap(defRes, "error")
-}
-
 func decodeGetSubmissionResponse(resp *http.Response) (res *Submission, _ error) {
 	switch resp.StatusCode {
 	case 200:
@@ -1259,6 +1218,123 @@ func decodeListScriptPolicyResponse(resp *http.Response) (res []ScriptPolicy, _
 	return res, errors.Wrap(defRes, "error")
 }

+func decodeListScriptsResponse(resp *http.Response) (res []Script, _ error) {
+	switch resp.StatusCode {
+	case 200:
+		// Code 200.
+		ct, _, err := mime.ParseMediaType(resp.Header.Get("Content-Type"))
+		if err != nil {
+			return res, errors.Wrap(err, "parse media type")
+		}
+		switch {
+		case ct == "application/json":
+			buf, err := io.ReadAll(resp.Body)
+			if err != nil {
+				return res, err
+			}
+			d := jx.DecodeBytes(buf)
+
+			var response []Script
+			if err := func() error {
+				response = make([]Script, 0)
+				if err := d.Arr(func(d *jx.Decoder) error {
+					var elem Script
+					if err := elem.Decode(d); err != nil {
+						return err
+					}
+					response = append(response, elem)
+					return nil
+				}); err != nil {
+					return err
+				}
+				if err := d.Skip(); err != io.EOF {
+					return errors.New("unexpected trailing data")
+				}
+				return nil
+			}(); err != nil {
+				err = &ogenerrors.DecodeBodyError{
+					ContentType: ct,
+					Body:        buf,
+					Err:         err,
+				}
+				return res, err
+			}
+			// Validate response.
+			if err := func() error {
+				if response == nil {
+					return errors.New("nil is invalid value")
+				}
+				var failures []validate.FieldError
+				for i, elem := range response {
+					if err := func() error {
+						if err := elem.Validate(); err != nil {
+							return err
+						}
+						return nil
+					}(); err != nil {
+						failures = append(failures, validate.FieldError{
+							Name:  fmt.Sprintf("[%d]", i),
+							Error: err,
+						})
+					}
+				}
+				if len(failures) > 0 {
+					return &validate.Error{Fields: failures}
+				}
+				return nil
+			}(); err != nil {
+				return res, errors.Wrap(err, "validate")
+			}
+			return response, nil
+		default:
+			return res, validate.InvalidContentType(ct)
+		}
+	}
+	// Convenient error response.
+	defRes, err := func() (res *ErrorStatusCode, err error) {
+		ct, _, err := mime.ParseMediaType(resp.Header.Get("Content-Type"))
+		if err != nil {
+			return res, errors.Wrap(err, "parse media type")
+		}
+		switch {
+		case ct == "application/json":
+			buf, err := io.ReadAll(resp.Body)
+			if err != nil {
+				return res, err
+			}
+			d := jx.DecodeBytes(buf)
+
+			var response Error
+			if err := func() error {
+				if err := response.Decode(d); err != nil {
+					return err
+				}
+				if err := d.Skip(); err != io.EOF {
+					return errors.New("unexpected trailing data")
+				}
+				return nil
+			}(); err != nil {
+				err = &ogenerrors.DecodeBodyError{
+					ContentType: ct,
+					Body:        buf,
+					Err:         err,
+				}
+				return res, err
+			}
+			return &ErrorStatusCode{
+				StatusCode: resp.StatusCode,
+				Response:   response,
+			}, nil
+		default:
+			return res, validate.InvalidContentType(ct)
+		}
+	}()
+	if err != nil {
+		return res, errors.Wrapf(err, "default (code %d)", resp.StatusCode)
+	}
+	return res, errors.Wrap(defRes, "error")
+}
+
 func decodeListSubmissionsResponse(resp *http.Response) (res []Submission, _ error) {
 	switch resp.StatusCode {
 	case 200:
@@ -1376,6 +1452,317 @@ func decodeListSubmissionsResponse(resp *http.Response) (res []Submission, _ err
 	return res, errors.Wrap(defRes, "error")
 }

+func decodeReleaseSubmissionsResponse(resp *http.Response) (res *ReleaseSubmissionsCreated, _ error) {
+	switch resp.StatusCode {
+	case 201:
+		// Code 201.
+		return &ReleaseSubmissionsCreated{}, nil
+	}
+	// Convenient error response.
+	defRes, err := func() (res *ErrorStatusCode, err error) {
+		ct, _, err := mime.ParseMediaType(resp.Header.Get("Content-Type"))
+		if err != nil {
+			return res, errors.Wrap(err, "parse media type")
+		}
+		switch {
+		case ct == "application/json":
+			buf, err := io.ReadAll(resp.Body)
+			if err != nil {
+				return res, err
+			}
+			d := jx.DecodeBytes(buf)
+
+			var response Error
+			if err := func() error {
+				if err := response.Decode(d); err != nil {
+					return err
+				}
+				if err := d.Skip(); err != io.EOF {
+					return errors.New("unexpected trailing data")
+				}
+				return nil
+			}(); err != nil {
+				err = &ogenerrors.DecodeBodyError{
+					ContentType: ct,
+					Body:        buf,
+					Err:         err,
+				}
+				return res, err
+			}
+			return &ErrorStatusCode{
+				StatusCode: resp.StatusCode,
+				Response:   response,
+			}, nil
+		default:
+			return res, validate.InvalidContentType(ct)
+		}
+	}()
+	if err != nil {
+		return res, errors.Wrapf(err, "default (code %d)", resp.StatusCode)
+	}
+	return res, errors.Wrap(defRes, "error")
+}
+
+func decodeSessionRolesResponse(resp *http.Response) (res *Roles, _ error) {
+	switch resp.StatusCode {
+	case 200:
+		// Code 200.
+		ct, _, err := mime.ParseMediaType(resp.Header.Get("Content-Type"))
+		if err != nil {
+			return res, errors.Wrap(err, "parse media type")
+		}
+		switch {
+		case ct == "application/json":
+			buf, err := io.ReadAll(resp.Body)
+			if err != nil {
+				return res, err
+			}
+			d := jx.DecodeBytes(buf)
+
+			var response Roles
+			if err := func() error {
+				if err := response.Decode(d); err != nil {
+					return err
+				}
+				if err := d.Skip(); err != io.EOF {
+					return errors.New("unexpected trailing data")
+				}
+				return nil
+			}(); err != nil {
+				err = &ogenerrors.DecodeBodyError{
+					ContentType: ct,
+					Body:        buf,
+					Err:         err,
+				}
+				return res, err
+			}
+			return &response, nil
+		default:
+			return res, validate.InvalidContentType(ct)
+		}
+	}
+	// Convenient error response.
+	defRes, err := func() (res *ErrorStatusCode, err error) {
+		ct, _, err := mime.ParseMediaType(resp.Header.Get("Content-Type"))
+		if err != nil {
+			return res, errors.Wrap(err, "parse media type")
+		}
+		switch {
+		case ct == "application/json":
+			buf, err := io.ReadAll(resp.Body)
+			if err != nil {
+				return res, err
+			}
+			d := jx.DecodeBytes(buf)
+
+			var response Error
+			if err := func() error {
+				if err := response.Decode(d); err != nil {
+					return err
+				}
+				if err := d.Skip(); err != io.EOF {
+					return errors.New("unexpected trailing data")
+				}
+				return nil
+			}(); err != nil {
+				err = &ogenerrors.DecodeBodyError{
+					ContentType: ct,
+					Body:        buf,
+					Err:         err,
+				}
+				return res, err
+			}
+			return &ErrorStatusCode{
+				StatusCode: resp.StatusCode,
+				Response:   response,
+			}, nil
+		default:
+			return res, validate.InvalidContentType(ct)
+		}
+	}()
+	if err != nil {
+		return res, errors.Wrapf(err, "default (code %d)", resp.StatusCode)
+	}
+	return res, errors.Wrap(defRes, "error")
+}
+
+func decodeSessionUserResponse(resp *http.Response) (res *User, _ error) {
+	switch resp.StatusCode {
+	case 200:
+		// Code 200.
+		ct, _, err := mime.ParseMediaType(resp.Header.Get("Content-Type"))
+		if err != nil {
+			return res, errors.Wrap(err, "parse media type")
+		}
+		switch {
+		case ct == "application/json":
+			buf, err := io.ReadAll(resp.Body)
+			if err != nil {
+				return res, err
+			}
+			d := jx.DecodeBytes(buf)
+
+			var response User
+			if err := func() error {
+				if err := response.Decode(d); err != nil {
+					return err
+				}
+				if err := d.Skip(); err != io.EOF {
+					return errors.New("unexpected trailing data")
+				}
+				return nil
+			}(); err != nil {
+				err = &ogenerrors.DecodeBodyError{
+					ContentType: ct,
+					Body:        buf,
+					Err:         err,
+				}
+				return res, err
+			}
+			// Validate response.
+			if err := func() error {
+				if err := response.Validate(); err != nil {
+					return err
+				}
+				return nil
+			}(); err != nil {
+				return res, errors.Wrap(err, "validate")
+			}
+			return &response, nil
+		default:
+			return res, validate.InvalidContentType(ct)
+		}
+	}
+	// Convenient error response.
+	defRes, err := func() (res *ErrorStatusCode, err error) {
+		ct, _, err := mime.ParseMediaType(resp.Header.Get("Content-Type"))
+		if err != nil {
+			return res, errors.Wrap(err, "parse media type")
+		}
+		switch {
+		case ct == "application/json":
+			buf, err := io.ReadAll(resp.Body)
+			if err != nil {
+				return res, err
+			}
+			d := jx.DecodeBytes(buf)
+
+			var response Error
+			if err := func() error {
+				if err := response.Decode(d); err != nil {
+					return err
+				}
+				if err := d.Skip(); err != io.EOF {
+					return errors.New("unexpected trailing data")
+				}
+				return nil
+			}(); err != nil {
+				err = &ogenerrors.DecodeBodyError{
+					ContentType: ct,
+					Body:        buf,
+					Err:         err,
+				}
+				return res, err
+			}
+			return &ErrorStatusCode{
+				StatusCode: resp.StatusCode,
+				Response:   response,
+			}, nil
+		default:
+			return res, validate.InvalidContentType(ct)
+		}
+	}()
+	if err != nil {
+		return res, errors.Wrapf(err, "default (code %d)", resp.StatusCode)
+	}
+	return res, errors.Wrap(defRes, "error")
+}
+
+func decodeSessionValidateResponse(resp *http.Response) (res bool, _ error) {
+	switch resp.StatusCode {
+	case 200:
+		// Code 200.
+		ct, _, err := mime.ParseMediaType(resp.Header.Get("Content-Type"))
+		if err != nil {
+			return res, errors.Wrap(err, "parse media type")
+		}
+		switch {
+		case ct == "application/json":
+			buf, err := io.ReadAll(resp.Body)
+			if err != nil {
+				return res, err
+			}
+			d := jx.DecodeBytes(buf)
+
+			var response bool
+			if err := func() error {
+				v, err := d.Bool()
+				response = bool(v)
+				if err != nil {
+					return err
+				}
+				if err := d.Skip(); err != io.EOF {
+					return errors.New("unexpected trailing data")
+				}
+				return nil
+			}(); err != nil {
+				err = &ogenerrors.DecodeBodyError{
+					ContentType: ct,
+					Body:        buf,
+					Err:         err,
+				}
+				return res, err
+			}
+			return response, nil
+		default:
+			return res, validate.InvalidContentType(ct)
+		}
+	}
+	// Convenient error response.
+	defRes, err := func() (res *ErrorStatusCode, err error) {
+		ct, _, err := mime.ParseMediaType(resp.Header.Get("Content-Type"))
+		if err != nil {
+			return res, errors.Wrap(err, "parse media type")
+		}
+		switch {
+		case ct == "application/json":
+			buf, err := io.ReadAll(resp.Body)
+			if err != nil {
+				return res, err
+			}
+			d := jx.DecodeBytes(buf)
+
+			var response Error
+			if err := func() error {
+				if err := response.Decode(d); err != nil {
+					return err
+				}
+				if err := d.Skip(); err != io.EOF {
+					return errors.New("unexpected trailing data")
+				}
+				return nil
+			}(); err != nil {
+				err = &ogenerrors.DecodeBodyError{
+					ContentType: ct,
+					Body:        buf,
+					Err:         err,
+				}
+				return res, err
+			}
+			return &ErrorStatusCode{
+				StatusCode: resp.StatusCode,
+				Response:   response,
+			}, nil
+		default:
+			return res, validate.InvalidContentType(ct)
+		}
+	}()
+	if err != nil {
+		return res, errors.Wrapf(err, "default (code %d)", resp.StatusCode)
+	}
+	return res, errors.Wrap(defRes, "error")
+}
+
 func decodeSetSubmissionCompletedResponse(resp *http.Response) (res *SetSubmissionCompletedNoContent, _ error) {
 	switch resp.StatusCode {
 	case 204:
--- a/pkg/api/oas_response_encoders_gen.go
+++ b/pkg/api/oas_response_encoders_gen.go
@@ -13,7 +13,7 @@ import (
 	ht "github.com/ogen-go/ogen/http"
 )

-func encodeActionSubmissionPublishResponse(response *ActionSubmissionPublishNoContent, w http.ResponseWriter, span trace.Span) error {
+func encodeActionSubmissionAcceptedResponse(response *ActionSubmissionAcceptedNoContent, w http.ResponseWriter, span trace.Span) error {
 	w.WriteHeader(204)
 	span.SetStatus(codes.Ok, http.StatusText(204))

@@ -34,6 +34,13 @@ func encodeActionSubmissionRequestChangesResponse(response *ActionSubmissionRequ
 	return nil
 }

+func encodeActionSubmissionRetryValidateResponse(response *ActionSubmissionRetryValidateNoContent, w http.ResponseWriter, span trace.Span) error {
+	w.WriteHeader(204)
+	span.SetStatus(codes.Ok, http.StatusText(204))
+
+	return nil
+}
+
 func encodeActionSubmissionRevokeResponse(response *ActionSubmissionRevokeNoContent, w http.ResponseWriter, span trace.Span) error {
 	w.WriteHeader(204)
 	span.SetStatus(codes.Ok, http.StatusText(204))
@@ -48,7 +55,7 @@ func encodeActionSubmissionSubmitResponse(response *ActionSubmissionSubmitNoCont
 	return nil
 }

-func encodeActionSubmissionTriggerPublishResponse(response *ActionSubmissionTriggerPublishNoContent, w http.ResponseWriter, span trace.Span) error {
+func encodeActionSubmissionTriggerUploadResponse(response *ActionSubmissionTriggerUploadNoContent, w http.ResponseWriter, span trace.Span) error {
 	w.WriteHeader(204)
 	span.SetStatus(codes.Ok, http.StatusText(204))

@@ -62,7 +69,7 @@ func encodeActionSubmissionTriggerValidateResponse(response *ActionSubmissionTri
 	return nil
 }

-func encodeActionSubmissionValidateResponse(response *ActionSubmissionValidateNoContent, w http.ResponseWriter, span trace.Span) error {
+func encodeActionSubmissionValidatedResponse(response *ActionSubmissionValidatedNoContent, w http.ResponseWriter, span trace.Span) error {
 	w.WriteHeader(204)
 	span.SetStatus(codes.Ok, http.StatusText(204))

@@ -153,20 +160,6 @@ func encodeGetScriptPolicyResponse(response *ScriptPolicy, w http.ResponseWriter
 	return nil
 }

-func encodeGetScriptPolicyFromHashResponse(response *ScriptPolicy, w http.ResponseWriter, span trace.Span) error {
-	w.Header().Set("Content-Type", "application/json; charset=utf-8")
-	w.WriteHeader(200)
-	span.SetStatus(codes.Ok, http.StatusText(200))
-
-	e := new(jx.Encoder)
-	response.Encode(e)
-	if _, err := e.WriteTo(w); err != nil {
-		return errors.Wrap(err, "write")
-	}
-
-	return nil
-}
-
 func encodeGetSubmissionResponse(response *Submission, w http.ResponseWriter, span trace.Span) error {
 	w.Header().Set("Content-Type", "application/json; charset=utf-8")
 	w.WriteHeader(200)
@@ -199,6 +192,24 @@ func encodeListScriptPolicyResponse(response []ScriptPolicy, w http.ResponseWrit
 	return nil
 }

+func encodeListScriptsResponse(response []Script, w http.ResponseWriter, span trace.Span) error {
+	w.Header().Set("Content-Type", "application/json; charset=utf-8")
+	w.WriteHeader(200)
+	span.SetStatus(codes.Ok, http.StatusText(200))
+
+	e := new(jx.Encoder)
+	e.ArrStart()
+	for _, elem := range response {
+		elem.Encode(e)
+	}
+	e.ArrEnd()
+	if _, err := e.WriteTo(w); err != nil {
+		return errors.Wrap(err, "write")
+	}
+
+	return nil
+}
+
 func encodeListSubmissionsResponse(response []Submission, w http.ResponseWriter, span trace.Span) error {
 	w.Header().Set("Content-Type", "application/json; charset=utf-8")
 	w.WriteHeader(200)
@@ -217,6 +228,55 @@ func encodeListSubmissionsResponse(response []Submission, w http.ResponseWriter,
 	return nil
 }

+func encodeReleaseSubmissionsResponse(response *ReleaseSubmissionsCreated, w http.ResponseWriter, span trace.Span) error {
+	w.WriteHeader(201)
+	span.SetStatus(codes.Ok, http.StatusText(201))
+
+	return nil
+}
+
+func encodeSessionRolesResponse(response *Roles, w http.ResponseWriter, span trace.Span) error {
+	w.Header().Set("Content-Type", "application/json; charset=utf-8")
+	w.WriteHeader(200)
+	span.SetStatus(codes.Ok, http.StatusText(200))
+
+	e := new(jx.Encoder)
+	response.Encode(e)
+	if _, err := e.WriteTo(w); err != nil {
+		return errors.Wrap(err, "write")
+	}
+
+	return nil
+}
+
+func encodeSessionUserResponse(response *User, w http.ResponseWriter, span trace.Span) error {
+	w.Header().Set("Content-Type", "application/json; charset=utf-8")
+	w.WriteHeader(200)
+	span.SetStatus(codes.Ok, http.StatusText(200))
+
+	e := new(jx.Encoder)
+	response.Encode(e)
+	if _, err := e.WriteTo(w); err != nil {
+		return errors.Wrap(err, "write")
+	}
+
+	return nil
+}
+
+func encodeSessionValidateResponse(response bool, w http.ResponseWriter, span trace.Span) error {
+	w.Header().Set("Content-Type", "application/json; charset=utf-8")
+	w.WriteHeader(200)
+	span.SetStatus(codes.Ok, http.StatusText(200))
+
+	e := new(jx.Encoder)
+	e.Bool(response)
+	if _, err := e.WriteTo(w); err != nil {
+		return errors.Wrap(err, "write")
+	}
+
+	return nil
+}
+
 func encodeSetSubmissionCompletedResponse(response *SetSubmissionCompletedNoContent, w http.ResponseWriter, span trace.Span) error {
 	w.WriteHeader(204)
 	span.SetStatus(codes.Ok, http.StatusText(204))
--- a/pkg/api/oas_router_gen.go
+++ b/pkg/api/oas_router_gen.go
--- a/pkg/api/oas_schemas_gen.go
+++ b/pkg/api/oas_schemas_gen.go
@@ -4,14 +4,15 @@ package api

 import (
 	"fmt"
+	"time"
 )

 func (s *ErrorStatusCode) Error() string {
 	return fmt.Sprintf("code %d: %+v", s.StatusCode, s.Response)
 }

-// ActionSubmissionPublishNoContent is response for ActionSubmissionPublish operation.
-type ActionSubmissionPublishNoContent struct{}
+// ActionSubmissionAcceptedNoContent is response for ActionSubmissionAccepted operation.
+type ActionSubmissionAcceptedNoContent struct{}

 // ActionSubmissionRejectNoContent is response for ActionSubmissionReject operation.
 type ActionSubmissionRejectNoContent struct{}
@@ -19,20 +20,23 @@ type ActionSubmissionRejectNoContent struct{}
 // ActionSubmissionRequestChangesNoContent is response for ActionSubmissionRequestChanges operation.
 type ActionSubmissionRequestChangesNoContent struct{}

+// ActionSubmissionRetryValidateNoContent is response for ActionSubmissionRetryValidate operation.
+type ActionSubmissionRetryValidateNoContent struct{}
+
 // ActionSubmissionRevokeNoContent is response for ActionSubmissionRevoke operation.
 type ActionSubmissionRevokeNoContent struct{}

 // ActionSubmissionSubmitNoContent is response for ActionSubmissionSubmit operation.
 type ActionSubmissionSubmitNoContent struct{}

-// ActionSubmissionTriggerPublishNoContent is response for ActionSubmissionTriggerPublish operation.
-type ActionSubmissionTriggerPublishNoContent struct{}
+// ActionSubmissionTriggerUploadNoContent is response for ActionSubmissionTriggerUpload operation.
+type ActionSubmissionTriggerUploadNoContent struct{}

 // ActionSubmissionTriggerValidateNoContent is response for ActionSubmissionTriggerValidate operation.
 type ActionSubmissionTriggerValidateNoContent struct{}

-// ActionSubmissionValidateNoContent is response for ActionSubmissionValidate operation.
-type ActionSubmissionValidateNoContent struct{}
+// ActionSubmissionValidatedNoContent is response for ActionSubmissionValidated operation.
+type ActionSubmissionValidatedNoContent struct{}

 type CookieAuth struct {
 	APIKey string
@@ -122,56 +126,6 @@ func (s *ID) SetID(val int64) {
 	s.ID = val
 }

-type ListScriptPolicyReq struct {
-	Page   Pagination            `json:"Page"`
-	Filter OptScriptPolicyFilter `json:"Filter"`
-}
-
-// GetPage returns the value of Page.
-func (s *ListScriptPolicyReq) GetPage() Pagination {
-	return s.Page
-}
-
-// GetFilter returns the value of Filter.
-func (s *ListScriptPolicyReq) GetFilter() OptScriptPolicyFilter {
-	return s.Filter
-}
-
-// SetPage sets the value of Page.
-func (s *ListScriptPolicyReq) SetPage(val Pagination) {
-	s.Page = val
-}
-
-// SetFilter sets the value of Filter.
-func (s *ListScriptPolicyReq) SetFilter(val OptScriptPolicyFilter) {
-	s.Filter = val
-}
-
-type ListSubmissionsReq struct {
-	Page   Pagination          `json:"Page"`
-	Filter OptSubmissionFilter `json:"Filter"`
-}
-
-// GetPage returns the value of Page.
-func (s *ListSubmissionsReq) GetPage() Pagination {
-	return s.Page
-}
-
-// GetFilter returns the value of Filter.
-func (s *ListSubmissionsReq) GetFilter() OptSubmissionFilter {
-	return s.Filter
-}
-
-// SetPage sets the value of Page.
-func (s *ListSubmissionsReq) SetPage(val Pagination) {
-	s.Page = val
-}
-
-// SetFilter sets the value of Filter.
-func (s *ListSubmissionsReq) SetFilter(val OptSubmissionFilter) {
-	s.Filter = val
-}
-
 // NewOptInt32 returns new OptInt32 with value set to v.
 func NewOptInt32(v int32) OptInt32 {
 	return OptInt32{
@@ -264,52 +218,6 @@ func (o OptInt64) Or(d int64) int64 {
 	return d
 }

-// NewOptScriptPolicyFilter returns new OptScriptPolicyFilter with value set to v.
-func NewOptScriptPolicyFilter(v ScriptPolicyFilter) OptScriptPolicyFilter {
-	return OptScriptPolicyFilter{
-		Value: v,
-		Set:   true,
-	}
-}
-
-// OptScriptPolicyFilter is optional ScriptPolicyFilter.
-type OptScriptPolicyFilter struct {
-	Value ScriptPolicyFilter
-	Set   bool
-}
-
-// IsSet returns true if OptScriptPolicyFilter was set.
-func (o OptScriptPolicyFilter) IsSet() bool { return o.Set }
-
-// Reset unsets value.
-func (o *OptScriptPolicyFilter) Reset() {
-	var v ScriptPolicyFilter
-	o.Value = v
-	o.Set = false
-}
-
-// SetTo sets value to v.
-func (o *OptScriptPolicyFilter) SetTo(v ScriptPolicyFilter) {
-	o.Set = true
-	o.Value = v
-}
-
-// Get returns value and boolean that denotes whether value was set.
-func (o OptScriptPolicyFilter) Get() (v ScriptPolicyFilter, ok bool) {
-	if !o.Set {
-		return v, false
-	}
-	return o.Value, true
-}
-
-// Or returns value if set, or given parameter if does not.
-func (o OptScriptPolicyFilter) Or(d ScriptPolicyFilter) ScriptPolicyFilter {
-	if v, ok := o.Get(); ok {
-		return v
-	}
-	return d
-}
-
 // NewOptString returns new OptString with value set to v.
 func NewOptString(v string) OptString {
 	return OptString{
@@ -356,84 +264,58 @@ func (o OptString) Or(d string) string {
 	return d
 }

-// NewOptSubmissionFilter returns new OptSubmissionFilter with value set to v.
-func NewOptSubmissionFilter(v SubmissionFilter) OptSubmissionFilter {
-	return OptSubmissionFilter{
-		Value: v,
-		Set:   true,
-	}
+// Ref: #/components/schemas/ReleaseInfo
+type ReleaseInfo struct {
+	SubmissionID int64     `json:"SubmissionID"`
+	Date         time.Time `json:"Date"`
 }

-// OptSubmissionFilter is optional SubmissionFilter.
-type OptSubmissionFilter struct {
-	Value SubmissionFilter
-	Set   bool
+// GetSubmissionID returns the value of SubmissionID.
+func (s *ReleaseInfo) GetSubmissionID() int64 {
+	return s.SubmissionID
 }

-// IsSet returns true if OptSubmissionFilter was set.
-func (o OptSubmissionFilter) IsSet() bool { return o.Set }
-
-// Reset unsets value.
-func (o *OptSubmissionFilter) Reset() {
-	var v SubmissionFilter
-	o.Value = v
-	o.Set = false
+// GetDate returns the value of Date.
+func (s *ReleaseInfo) GetDate() time.Time {
+	return s.Date
 }

-// SetTo sets value to v.
-func (o *OptSubmissionFilter) SetTo(v SubmissionFilter) {
-	o.Set = true
-	o.Value = v
+// SetSubmissionID sets the value of SubmissionID.
+func (s *ReleaseInfo) SetSubmissionID(val int64) {
+	s.SubmissionID = val
 }

-// Get returns value and boolean that denotes whether value was set.
-func (o OptSubmissionFilter) Get() (v SubmissionFilter, ok bool) {
-	if !o.Set {
-		return v, false
-	}
-	return o.Value, true
+// SetDate sets the value of Date.
+func (s *ReleaseInfo) SetDate(val time.Time) {
+	s.Date = val
 }

-// Or returns value if set, or given parameter if does not.
-func (o OptSubmissionFilter) Or(d SubmissionFilter) SubmissionFilter {
-	if v, ok := o.Get(); ok {
-		return v
-	}
-	return d
+// ReleaseSubmissionsCreated is response for ReleaseSubmissions operation.
+type ReleaseSubmissionsCreated struct{}
+
+// Ref: #/components/schemas/Roles
+type Roles struct {
+	Roles int32 `json:"Roles"`
 }

-// Ref: #/components/schemas/Pagination
-type Pagination struct {
-	Page  int32 `json:"Page"`
-	Limit int32 `json:"Limit"`
+// GetRoles returns the value of Roles.
+func (s *Roles) GetRoles() int32 {
+	return s.Roles
 }

-// GetPage returns the value of Page.
-func (s *Pagination) GetPage() int32 {
-	return s.Page
-}
-
-// GetLimit returns the value of Limit.
-func (s *Pagination) GetLimit() int32 {
-	return s.Limit
-}
-
-// SetPage sets the value of Page.
-func (s *Pagination) SetPage(val int32) {
-	s.Page = val
-}
-
-// SetLimit sets the value of Limit.
-func (s *Pagination) SetLimit(val int32) {
-	s.Limit = val
+// SetRoles sets the value of Roles.
+func (s *Roles) SetRoles(val int32) {
+	s.Roles = val
 }

 // Ref: #/components/schemas/Script
 type Script struct {
 	ID           int64  `json:"ID"`
+	Name         string `json:"Name"`
 	Hash         string `json:"Hash"`
 	Source       string `json:"Source"`
-	SubmissionID int64  `json:"SubmissionID"`
+	ResourceType int32  `json:"ResourceType"`
+	ResourceID   int64  `json:"ResourceID"`
 }

 // GetID returns the value of ID.
@@ -441,6 +323,11 @@ func (s *Script) GetID() int64 {
 	return s.ID
 }

+// GetName returns the value of Name.
+func (s *Script) GetName() string {
+	return s.Name
+}
+
 // GetHash returns the value of Hash.
 func (s *Script) GetHash() string {
 	return s.Hash
@@ -451,9 +338,14 @@ func (s *Script) GetSource() string {
 	return s.Source
 }

-// GetSubmissionID returns the value of SubmissionID.
-func (s *Script) GetSubmissionID() int64 {
-	return s.SubmissionID
+// GetResourceType returns the value of ResourceType.
+func (s *Script) GetResourceType() int32 {
+	return s.ResourceType
+}
+
+// GetResourceID returns the value of ResourceID.
+func (s *Script) GetResourceID() int64 {
+	return s.ResourceID
 }

 // SetID sets the value of ID.
@@ -461,6 +353,11 @@ func (s *Script) SetID(val int64) {
 	s.ID = val
 }

+// SetName sets the value of Name.
+func (s *Script) SetName(val string) {
+	s.Name = val
+}
+
 // SetHash sets the value of Hash.
 func (s *Script) SetHash(val string) {
 	s.Hash = val
@@ -471,15 +368,27 @@ func (s *Script) SetSource(val string) {
 	s.Source = val
 }

-// SetSubmissionID sets the value of SubmissionID.
-func (s *Script) SetSubmissionID(val int64) {
-	s.SubmissionID = val
+// SetResourceType sets the value of ResourceType.
+func (s *Script) SetResourceType(val int32) {
+	s.ResourceType = val
+}
+
+// SetResourceID sets the value of ResourceID.
+func (s *Script) SetResourceID(val int64) {
+	s.ResourceID = val
 }

 // Ref: #/components/schemas/ScriptCreate
 type ScriptCreate struct {
+	Name         string   `json:"Name"`
 	Source       string   `json:"Source"`
-	SubmissionID OptInt64 `json:"SubmissionID"`
+	ResourceType int32    `json:"ResourceType"`
+	ResourceID   OptInt64 `json:"ResourceID"`
+}
+
+// GetName returns the value of Name.
+func (s *ScriptCreate) GetName() string {
+	return s.Name
 }

 // GetSource returns the value of Source.
@@ -487,9 +396,19 @@ func (s *ScriptCreate) GetSource() string {
 	return s.Source
 }

-// GetSubmissionID returns the value of SubmissionID.
-func (s *ScriptCreate) GetSubmissionID() OptInt64 {
-	return s.SubmissionID
+// GetResourceType returns the value of ResourceType.
+func (s *ScriptCreate) GetResourceType() int32 {
+	return s.ResourceType
+}
+
+// GetResourceID returns the value of ResourceID.
+func (s *ScriptCreate) GetResourceID() OptInt64 {
+	return s.ResourceID
+}
+
+// SetName sets the value of Name.
+func (s *ScriptCreate) SetName(val string) {
+	s.Name = val
 }

 // SetSource sets the value of Source.
@@ -497,9 +416,14 @@ func (s *ScriptCreate) SetSource(val string) {
 	s.Source = val
 }

-// SetSubmissionID sets the value of SubmissionID.
-func (s *ScriptCreate) SetSubmissionID(val OptInt64) {
-	s.SubmissionID = val
+// SetResourceType sets the value of ResourceType.
+func (s *ScriptCreate) SetResourceType(val int32) {
+	s.ResourceType = val
+}
+
+// SetResourceID sets the value of ResourceID.
+func (s *ScriptCreate) SetResourceID(val OptInt64) {
+	s.ResourceID = val
 }

 // Ref: #/components/schemas/ScriptPolicy
@@ -587,54 +511,6 @@ func (s *ScriptPolicyCreate) SetPolicy(val int32) {
 	s.Policy = val
 }

-// Ref: #/components/schemas/ScriptPolicyFilter
-type ScriptPolicyFilter struct {
-	ID             OptInt64  `json:"ID"`
-	FromScriptHash OptString `json:"FromScriptHash"`
-	ToScriptID     OptInt64  `json:"ToScriptID"`
-	Policy         OptInt32  `json:"Policy"`
-}
-
-// GetID returns the value of ID.
-func (s *ScriptPolicyFilter) GetID() OptInt64 {
-	return s.ID
-}
-
-// GetFromScriptHash returns the value of FromScriptHash.
-func (s *ScriptPolicyFilter) GetFromScriptHash() OptString {
-	return s.FromScriptHash
-}
-
-// GetToScriptID returns the value of ToScriptID.
-func (s *ScriptPolicyFilter) GetToScriptID() OptInt64 {
-	return s.ToScriptID
-}
-
-// GetPolicy returns the value of Policy.
-func (s *ScriptPolicyFilter) GetPolicy() OptInt32 {
-	return s.Policy
-}
-
-// SetID sets the value of ID.
-func (s *ScriptPolicyFilter) SetID(val OptInt64) {
-	s.ID = val
-}
-
-// SetFromScriptHash sets the value of FromScriptHash.
-func (s *ScriptPolicyFilter) SetFromScriptHash(val OptString) {
-	s.FromScriptHash = val
-}
-
-// SetToScriptID sets the value of ToScriptID.
-func (s *ScriptPolicyFilter) SetToScriptID(val OptInt64) {
-	s.ToScriptID = val
-}
-
-// SetPolicy sets the value of Policy.
-func (s *ScriptPolicyFilter) SetPolicy(val OptInt32) {
-	s.Policy = val
-}
-
 // Ref: #/components/schemas/ScriptPolicyUpdate
 type ScriptPolicyUpdate struct {
 	ID           int64    `json:"ID"`
@@ -686,8 +562,10 @@ func (s *ScriptPolicyUpdate) SetPolicy(val OptInt32) {
 // Ref: #/components/schemas/ScriptUpdate
 type ScriptUpdate struct {
 	ID           int64     `json:"ID"`
+	Name         OptString `json:"Name"`
 	Source       OptString `json:"Source"`
-	SubmissionID OptInt64  `json:"SubmissionID"`
+	ResourceType OptInt32  `json:"ResourceType"`
+	ResourceID   OptInt64  `json:"ResourceID"`
 }

 // GetID returns the value of ID.
@@ -695,14 +573,24 @@ func (s *ScriptUpdate) GetID() int64 {
 	return s.ID
 }

+// GetName returns the value of Name.
+func (s *ScriptUpdate) GetName() OptString {
+	return s.Name
+}
+
 // GetSource returns the value of Source.
 func (s *ScriptUpdate) GetSource() OptString {
 	return s.Source
 }

-// GetSubmissionID returns the value of SubmissionID.
-func (s *ScriptUpdate) GetSubmissionID() OptInt64 {
-	return s.SubmissionID
+// GetResourceType returns the value of ResourceType.
+func (s *ScriptUpdate) GetResourceType() OptInt32 {
+	return s.ResourceType
+}
+
+// GetResourceID returns the value of ResourceID.
+func (s *ScriptUpdate) GetResourceID() OptInt64 {
+	return s.ResourceID
 }

 // SetID sets the value of ID.
@@ -710,14 +598,24 @@ func (s *ScriptUpdate) SetID(val int64) {
 	s.ID = val
 }

+// SetName sets the value of Name.
+func (s *ScriptUpdate) SetName(val OptString) {
+	s.Name = val
+}
+
 // SetSource sets the value of Source.
 func (s *ScriptUpdate) SetSource(val OptString) {
 	s.Source = val
 }

-// SetSubmissionID sets the value of SubmissionID.
-func (s *ScriptUpdate) SetSubmissionID(val OptInt64) {
-	s.SubmissionID = val
+// SetResourceType sets the value of ResourceType.
+func (s *ScriptUpdate) SetResourceType(val OptInt32) {
+	s.ResourceType = val
+}
+
+// SetResourceID sets the value of ResourceID.
+func (s *ScriptUpdate) SetResourceID(val OptInt64) {
+	s.ResourceID = val
 }

 // SetSubmissionCompletedNoContent is response for SetSubmissionCompleted operation.
@@ -725,19 +623,19 @@ type SetSubmissionCompletedNoContent struct{}

 // Ref: #/components/schemas/Submission
 type Submission struct {
-	ID             int64    `json:"ID"`
-	DisplayName    string   `json:"DisplayName"`
-	Creator        string   `json:"Creator"`
-	GameID         int32    `json:"GameID"`
-	CreatedAt      int64    `json:"CreatedAt"`
-	UpdatedAt      int64    `json:"UpdatedAt"`
-	Submitter      int64    `json:"Submitter"`
-	AssetID        int64    `json:"AssetID"`
-	AssetVersion   int64    `json:"AssetVersion"`
-	Completed      bool     `json:"Completed"`
-	SubmissionType int32    `json:"SubmissionType"`
-	TargetAssetID  OptInt64 `json:"TargetAssetID"`
-	StatusID       int32    `json:"StatusID"`
+	ID              int64    `json:"ID"`
+	DisplayName     string   `json:"DisplayName"`
+	Creator         string   `json:"Creator"`
+	GameID          int32    `json:"GameID"`
+	CreatedAt       int64    `json:"CreatedAt"`
+	UpdatedAt       int64    `json:"UpdatedAt"`
+	Submitter       int64    `json:"Submitter"`
+	AssetID         int64    `json:"AssetID"`
+	AssetVersion    int64    `json:"AssetVersion"`
+	Completed       bool     `json:"Completed"`
+	UploadedAssetID OptInt64 `json:"UploadedAssetID"`
+	StatusID        int32    `json:"StatusID"`
+	StatusMessage   string   `json:"StatusMessage"`
 }

 // GetID returns the value of ID.
@@ -790,14 +688,9 @@ func (s *Submission) GetCompleted() bool {
 	return s.Completed
 }

-// GetSubmissionType returns the value of SubmissionType.
-func (s *Submission) GetSubmissionType() int32 {
-	return s.SubmissionType
-}
-
-// GetTargetAssetID returns the value of TargetAssetID.
-func (s *Submission) GetTargetAssetID() OptInt64 {
-	return s.TargetAssetID
+// GetUploadedAssetID returns the value of UploadedAssetID.
+func (s *Submission) GetUploadedAssetID() OptInt64 {
+	return s.UploadedAssetID
 }

 // GetStatusID returns the value of StatusID.
@@ -805,6 +698,11 @@ func (s *Submission) GetStatusID() int32 {
 	return s.StatusID
 }

+// GetStatusMessage returns the value of StatusMessage.
+func (s *Submission) GetStatusMessage() string {
+	return s.StatusMessage
+}
+
 // SetID sets the value of ID.
 func (s *Submission) SetID(val int64) {
 	s.ID = val
@@ -855,14 +753,9 @@ func (s *Submission) SetCompleted(val bool) {
 	s.Completed = val
 }

-// SetSubmissionType sets the value of SubmissionType.
-func (s *Submission) SetSubmissionType(val int32) {
-	s.SubmissionType = val
-}
-
-// SetTargetAssetID sets the value of TargetAssetID.
-func (s *Submission) SetTargetAssetID(val OptInt64) {
-	s.TargetAssetID = val
+// SetUploadedAssetID sets the value of UploadedAssetID.
+func (s *Submission) SetUploadedAssetID(val OptInt64) {
+	s.UploadedAssetID = val
 }

 // SetStatusID sets the value of StatusID.
@@ -870,14 +763,18 @@ func (s *Submission) SetStatusID(val int32) {
 	s.StatusID = val
 }

+// SetStatusMessage sets the value of StatusMessage.
+func (s *Submission) SetStatusMessage(val string) {
+	s.StatusMessage = val
+}
+
 // Ref: #/components/schemas/SubmissionCreate
 type SubmissionCreate struct {
-	DisplayName   string   `json:"DisplayName"`
-	Creator       string   `json:"Creator"`
-	GameID        int32    `json:"GameID"`
-	AssetID       int64    `json:"AssetID"`
-	AssetVersion  int64    `json:"AssetVersion"`
-	TargetAssetID OptInt64 `json:"TargetAssetID"`
+	DisplayName  string `json:"DisplayName"`
+	Creator      string `json:"Creator"`
+	GameID       int32  `json:"GameID"`
+	AssetID      int64  `json:"AssetID"`
+	AssetVersion int64  `json:"AssetVersion"`
 }

 // GetDisplayName returns the value of DisplayName.
@@ -905,11 +802,6 @@ func (s *SubmissionCreate) GetAssetVersion() int64 {
 	return s.AssetVersion
 }

-// GetTargetAssetID returns the value of TargetAssetID.
-func (s *SubmissionCreate) GetTargetAssetID() OptInt64 {
-	return s.TargetAssetID
-}
-
 // SetDisplayName sets the value of DisplayName.
 func (s *SubmissionCreate) SetDisplayName(val string) {
 	s.DisplayName = val
@@ -935,59 +827,6 @@ func (s *SubmissionCreate) SetAssetVersion(val int64) {
 	s.AssetVersion = val
 }

-// SetTargetAssetID sets the value of TargetAssetID.
-func (s *SubmissionCreate) SetTargetAssetID(val OptInt64) {
-	s.TargetAssetID = val
-}
-
-// Ref: #/components/schemas/SubmissionFilter
-type SubmissionFilter struct {
-	ID          int64     `json:"ID"`
-	DisplayName OptString `json:"DisplayName"`
-	Creator     OptString `json:"Creator"`
-	GameID      OptInt32  `json:"GameID"`
-}
-
-// GetID returns the value of ID.
-func (s *SubmissionFilter) GetID() int64 {
-	return s.ID
-}
-
-// GetDisplayName returns the value of DisplayName.
-func (s *SubmissionFilter) GetDisplayName() OptString {
-	return s.DisplayName
-}
-
-// GetCreator returns the value of Creator.
-func (s *SubmissionFilter) GetCreator() OptString {
-	return s.Creator
-}
-
-// GetGameID returns the value of GameID.
-func (s *SubmissionFilter) GetGameID() OptInt32 {
-	return s.GameID
-}
-
-// SetID sets the value of ID.
-func (s *SubmissionFilter) SetID(val int64) {
-	s.ID = val
-}
-
-// SetDisplayName sets the value of DisplayName.
-func (s *SubmissionFilter) SetDisplayName(val OptString) {
-	s.DisplayName = val
-}
-
-// SetCreator sets the value of Creator.
-func (s *SubmissionFilter) SetCreator(val OptString) {
-	s.Creator = val
-}
-
-// SetGameID sets the value of GameID.
-func (s *SubmissionFilter) SetGameID(val OptInt32) {
-	s.GameID = val
-}
-
 // UpdateScriptNoContent is response for UpdateScript operation.
 type UpdateScriptNoContent struct{}

@@ -996,3 +835,40 @@ type UpdateScriptPolicyNoContent struct{}

 // UpdateSubmissionModelNoContent is response for UpdateSubmissionModel operation.
 type UpdateSubmissionModelNoContent struct{}
+
+// Ref: #/components/schemas/User
+type User struct {
+	UserID    int64  `json:"UserID"`
+	Username  string `json:"Username"`
+	AvatarURL string `json:"AvatarURL"`
+}
+
+// GetUserID returns the value of UserID.
+func (s *User) GetUserID() int64 {
+	return s.UserID
+}
+
+// GetUsername returns the value of Username.
+func (s *User) GetUsername() string {
+	return s.Username
+}
+
+// GetAvatarURL returns the value of AvatarURL.
+func (s *User) GetAvatarURL() string {
+	return s.AvatarURL
+}
+
+// SetUserID sets the value of UserID.
+func (s *User) SetUserID(val int64) {
+	s.UserID = val
+}
+
+// SetUsername sets the value of Username.
+func (s *User) SetUsername(val string) {
+	s.Username = val
+}
+
+// SetAvatarURL sets the value of AvatarURL.
+func (s *User) SetAvatarURL(val string) {
+	s.AvatarURL = val
+}
--- a/pkg/api/oas_server_gen.go
+++ b/pkg/api/oas_server_gen.go
@@ -8,12 +8,12 @@ import (

 // Handler handles operations described by OpenAPI v3 specification.
 type Handler interface {
-	// ActionSubmissionPublish implements actionSubmissionPublish operation.
+	// ActionSubmissionAccepted implements actionSubmissionAccepted operation.
 	//
-	// (Internal endpoint) Role Validator changes status from Publishing -> Published.
+	// Role Reviewer manually resets validating softlock and changes status from Validating -> Accepted.
 	//
-	// POST /submissions/{SubmissionID}/status/validator-published
-	ActionSubmissionPublish(ctx context.Context, params ActionSubmissionPublishParams) error
+	// POST /submissions/{SubmissionID}/status/reset-validating
+	ActionSubmissionAccepted(ctx context.Context, params ActionSubmissionAcceptedParams) error
 	// ActionSubmissionReject implements actionSubmissionReject operation.
 	//
 	// Role Reviewer changes status from Submitted -> Rejected.
@@ -26,6 +26,12 @@ type Handler interface {
 	//
 	// POST /submissions/{SubmissionID}/status/request-changes
 	ActionSubmissionRequestChanges(ctx context.Context, params ActionSubmissionRequestChangesParams) error
+	// ActionSubmissionRetryValidate implements actionSubmissionRetryValidate operation.
+	//
+	// Role Reviewer re-runs validation and changes status from Accepted -> Validating.
+	//
+	// POST /submissions/{SubmissionID}/status/retry-validate
+	ActionSubmissionRetryValidate(ctx context.Context, params ActionSubmissionRetryValidateParams) error
 	// ActionSubmissionRevoke implements actionSubmissionRevoke operation.
 	//
 	// Role Submitter changes status from Submitted|ChangesRequested -> UnderConstruction.
@@ -38,24 +44,24 @@ type Handler interface {
 	//
 	// POST /submissions/{SubmissionID}/status/submit
 	ActionSubmissionSubmit(ctx context.Context, params ActionSubmissionSubmitParams) error
-	// ActionSubmissionTriggerPublish implements actionSubmissionTriggerPublish operation.
+	// ActionSubmissionTriggerUpload implements actionSubmissionTriggerUpload operation.
 	//
-	// Role Admin changes status from Validated -> Publishing.
+	// Role Admin changes status from Validated -> Uploading.
 	//
-	// POST /submissions/{SubmissionID}/status/trigger-publish
-	ActionSubmissionTriggerPublish(ctx context.Context, params ActionSubmissionTriggerPublishParams) error
+	// POST /submissions/{SubmissionID}/status/trigger-upload
+	ActionSubmissionTriggerUpload(ctx context.Context, params ActionSubmissionTriggerUploadParams) error
 	// ActionSubmissionTriggerValidate implements actionSubmissionTriggerValidate operation.
 	//
-	// Role Reviewer triggers validation and changes status from Submitted|Accepted -> Validating.
+	// Role Reviewer triggers validation and changes status from Submitted -> Validating.
 	//
 	// POST /submissions/{SubmissionID}/status/trigger-validate
 	ActionSubmissionTriggerValidate(ctx context.Context, params ActionSubmissionTriggerValidateParams) error
-	// ActionSubmissionValidate implements actionSubmissionValidate operation.
+	// ActionSubmissionValidated implements actionSubmissionValidated operation.
 	//
-	// (Internal endpoint) Role Validator changes status from Validating -> Validated.
+	// Role Admin manually resets uploading softlock and changes status from Uploading -> Validated.
 	//
-	// POST /submissions/{SubmissionID}/status/validator-validated
-	ActionSubmissionValidate(ctx context.Context, params ActionSubmissionValidateParams) error
+	// POST /submissions/{SubmissionID}/status/reset-uploading
+	ActionSubmissionValidated(ctx context.Context, params ActionSubmissionValidatedParams) error
 	// CreateScript implements createScript operation.
 	//
 	// Create a new script.
@@ -84,7 +90,7 @@ type Handler interface {
 	//
 	// Delete the specified script policy by ID.
 	//
-	// DELETE /script-policy/id/{ScriptPolicyID}
+	// DELETE /script-policy/{ScriptPolicyID}
 	DeleteScriptPolicy(ctx context.Context, params DeleteScriptPolicyParams) error
 	// GetScript implements getScript operation.
 	//
@@ -96,14 +102,8 @@ type Handler interface {
 	//
 	// Get the specified script policy by ID.
 	//
-	// GET /script-policy/id/{ScriptPolicyID}
+	// GET /script-policy/{ScriptPolicyID}
 	GetScriptPolicy(ctx context.Context, params GetScriptPolicyParams) (*ScriptPolicy, error)
-	// GetScriptPolicyFromHash implements getScriptPolicyFromHash operation.
-	//
-	// Get the policy for the given hash of script source code.
-	//
-	// GET /script-policy/hash/{FromScriptHash}
-	GetScriptPolicyFromHash(ctx context.Context, params GetScriptPolicyFromHashParams) (*ScriptPolicy, error)
 	// GetSubmission implements getSubmission operation.
 	//
 	// Retrieve map with ID.
@@ -115,16 +115,46 @@ type Handler interface {
 	// Get list of script policies.
 	//
 	// GET /script-policy
-	ListScriptPolicy(ctx context.Context, req *ListScriptPolicyReq) ([]ScriptPolicy, error)
+	ListScriptPolicy(ctx context.Context, params ListScriptPolicyParams) ([]ScriptPolicy, error)
+	// ListScripts implements listScripts operation.
+	//
+	// Get list of scripts.
+	//
+	// GET /scripts
+	ListScripts(ctx context.Context, params ListScriptsParams) ([]Script, error)
 	// ListSubmissions implements listSubmissions operation.
 	//
 	// Get list of submissions.
 	//
 	// GET /submissions
-	ListSubmissions(ctx context.Context, req *ListSubmissionsReq) ([]Submission, error)
+	ListSubmissions(ctx context.Context, params ListSubmissionsParams) ([]Submission, error)
+	// ReleaseSubmissions implements releaseSubmissions operation.
+	//
+	// Release a set of uploaded maps.
+	//
+	// POST /release-submissions
+	ReleaseSubmissions(ctx context.Context, req []ReleaseInfo) error
+	// SessionRoles implements sessionRoles operation.
+	//
+	// Get list of roles for the current session.
+	//
+	// GET /session/roles
+	SessionRoles(ctx context.Context) (*Roles, error)
+	// SessionUser implements sessionUser operation.
+	//
+	// Get information about the currently logged in user.
+	//
+	// GET /session/user
+	SessionUser(ctx context.Context) (*User, error)
+	// SessionValidate implements sessionValidate operation.
+	//
+	// Ask if the current session is valid.
+	//
+	// GET /session/validate
+	SessionValidate(ctx context.Context) (bool, error)
 	// SetSubmissionCompleted implements setSubmissionCompleted operation.
 	//
-	// Retrieve map with ID.
+	// Called by maptest when a player completes the map.
 	//
 	// POST /submissions/{SubmissionID}/completed
 	SetSubmissionCompleted(ctx context.Context, params SetSubmissionCompletedParams) error
@@ -138,7 +168,7 @@ type Handler interface {
 	//
 	// Update the specified script policy by ID.
 	//
-	// POST /script-policy/id/{ScriptPolicyID}
+	// POST /script-policy/{ScriptPolicyID}
 	UpdateScriptPolicy(ctx context.Context, req *ScriptPolicyUpdate, params UpdateScriptPolicyParams) error
 	// UpdateSubmissionModel implements updateSubmissionModel operation.
 	//
--- a/pkg/api/oas_unimplemented_gen.go
+++ b/pkg/api/oas_unimplemented_gen.go
@@ -13,12 +13,12 @@ type UnimplementedHandler struct{}

 var _ Handler = UnimplementedHandler{}

-// ActionSubmissionPublish implements actionSubmissionPublish operation.
+// ActionSubmissionAccepted implements actionSubmissionAccepted operation.
 //
-// (Internal endpoint) Role Validator changes status from Publishing -> Published.
+// Role Reviewer manually resets validating softlock and changes status from Validating -> Accepted.
 //
-// POST /submissions/{SubmissionID}/status/validator-published
-func (UnimplementedHandler) ActionSubmissionPublish(ctx context.Context, params ActionSubmissionPublishParams) error {
+// POST /submissions/{SubmissionID}/status/reset-validating
+func (UnimplementedHandler) ActionSubmissionAccepted(ctx context.Context, params ActionSubmissionAcceptedParams) error {
 	return ht.ErrNotImplemented
 }

@@ -40,6 +40,15 @@ func (UnimplementedHandler) ActionSubmissionRequestChanges(ctx context.Context,
 	return ht.ErrNotImplemented
 }

+// ActionSubmissionRetryValidate implements actionSubmissionRetryValidate operation.
+//
+// Role Reviewer re-runs validation and changes status from Accepted -> Validating.
+//
+// POST /submissions/{SubmissionID}/status/retry-validate
+func (UnimplementedHandler) ActionSubmissionRetryValidate(ctx context.Context, params ActionSubmissionRetryValidateParams) error {
+	return ht.ErrNotImplemented
+}
+
 // ActionSubmissionRevoke implements actionSubmissionRevoke operation.
 //
 // Role Submitter changes status from Submitted|ChangesRequested -> UnderConstruction.
@@ -58,30 +67,30 @@ func (UnimplementedHandler) ActionSubmissionSubmit(ctx context.Context, params A
 	return ht.ErrNotImplemented
 }

-// ActionSubmissionTriggerPublish implements actionSubmissionTriggerPublish operation.
+// ActionSubmissionTriggerUpload implements actionSubmissionTriggerUpload operation.
 //
-// Role Admin changes status from Validated -> Publishing.
+// Role Admin changes status from Validated -> Uploading.
 //
-// POST /submissions/{SubmissionID}/status/trigger-publish
-func (UnimplementedHandler) ActionSubmissionTriggerPublish(ctx context.Context, params ActionSubmissionTriggerPublishParams) error {
+// POST /submissions/{SubmissionID}/status/trigger-upload
+func (UnimplementedHandler) ActionSubmissionTriggerUpload(ctx context.Context, params ActionSubmissionTriggerUploadParams) error {
 	return ht.ErrNotImplemented
 }

 // ActionSubmissionTriggerValidate implements actionSubmissionTriggerValidate operation.
 //
-// Role Reviewer triggers validation and changes status from Submitted|Accepted -> Validating.
+// Role Reviewer triggers validation and changes status from Submitted -> Validating.
 //
 // POST /submissions/{SubmissionID}/status/trigger-validate
 func (UnimplementedHandler) ActionSubmissionTriggerValidate(ctx context.Context, params ActionSubmissionTriggerValidateParams) error {
 	return ht.ErrNotImplemented
 }

-// ActionSubmissionValidate implements actionSubmissionValidate operation.
+// ActionSubmissionValidated implements actionSubmissionValidated operation.
 //
-// (Internal endpoint) Role Validator changes status from Validating -> Validated.
+// Role Admin manually resets uploading softlock and changes status from Uploading -> Validated.
 //
-// POST /submissions/{SubmissionID}/status/validator-validated
-func (UnimplementedHandler) ActionSubmissionValidate(ctx context.Context, params ActionSubmissionValidateParams) error {
+// POST /submissions/{SubmissionID}/status/reset-uploading
+func (UnimplementedHandler) ActionSubmissionValidated(ctx context.Context, params ActionSubmissionValidatedParams) error {
 	return ht.ErrNotImplemented
 }

@@ -125,7 +134,7 @@ func (UnimplementedHandler) DeleteScript(ctx context.Context, params DeleteScrip
 //
 // Delete the specified script policy by ID.
 //
-// DELETE /script-policy/id/{ScriptPolicyID}
+// DELETE /script-policy/{ScriptPolicyID}
 func (UnimplementedHandler) DeleteScriptPolicy(ctx context.Context, params DeleteScriptPolicyParams) error {
 	return ht.ErrNotImplemented
 }
@@ -143,20 +152,11 @@ func (UnimplementedHandler) GetScript(ctx context.Context, params GetScriptParam
 //
 // Get the specified script policy by ID.
 //
-// GET /script-policy/id/{ScriptPolicyID}
+// GET /script-policy/{ScriptPolicyID}
 func (UnimplementedHandler) GetScriptPolicy(ctx context.Context, params GetScriptPolicyParams) (r *ScriptPolicy, _ error) {
 	return r, ht.ErrNotImplemented
 }

-// GetScriptPolicyFromHash implements getScriptPolicyFromHash operation.
-//
-// Get the policy for the given hash of script source code.
-//
-// GET /script-policy/hash/{FromScriptHash}
-func (UnimplementedHandler) GetScriptPolicyFromHash(ctx context.Context, params GetScriptPolicyFromHashParams) (r *ScriptPolicy, _ error) {
-	return r, ht.ErrNotImplemented
-}
-
 // GetSubmission implements getSubmission operation.
 //
 // Retrieve map with ID.
@@ -171,7 +171,16 @@ func (UnimplementedHandler) GetSubmission(ctx context.Context, params GetSubmiss
 // Get list of script policies.
 //
 // GET /script-policy
-func (UnimplementedHandler) ListScriptPolicy(ctx context.Context, req *ListScriptPolicyReq) (r []ScriptPolicy, _ error) {
+func (UnimplementedHandler) ListScriptPolicy(ctx context.Context, params ListScriptPolicyParams) (r []ScriptPolicy, _ error) {
+	return r, ht.ErrNotImplemented
+}
+
+// ListScripts implements listScripts operation.
+//
+// Get list of scripts.
+//
+// GET /scripts
+func (UnimplementedHandler) ListScripts(ctx context.Context, params ListScriptsParams) (r []Script, _ error) {
 	return r, ht.ErrNotImplemented
 }

@@ -180,13 +189,49 @@ func (UnimplementedHandler) ListScriptPolicy(ctx context.Context, req *ListScrip
 // Get list of submissions.
 //
 // GET /submissions
-func (UnimplementedHandler) ListSubmissions(ctx context.Context, req *ListSubmissionsReq) (r []Submission, _ error) {
+func (UnimplementedHandler) ListSubmissions(ctx context.Context, params ListSubmissionsParams) (r []Submission, _ error) {
+	return r, ht.ErrNotImplemented
+}
+
+// ReleaseSubmissions implements releaseSubmissions operation.
+//
+// Release a set of uploaded maps.
+//
+// POST /release-submissions
+func (UnimplementedHandler) ReleaseSubmissions(ctx context.Context, req []ReleaseInfo) error {
+	return ht.ErrNotImplemented
+}
+
+// SessionRoles implements sessionRoles operation.
+//
+// Get list of roles for the current session.
+//
+// GET /session/roles
+func (UnimplementedHandler) SessionRoles(ctx context.Context) (r *Roles, _ error) {
+	return r, ht.ErrNotImplemented
+}
+
+// SessionUser implements sessionUser operation.
+//
+// Get information about the currently logged in user.
+//
+// GET /session/user
+func (UnimplementedHandler) SessionUser(ctx context.Context) (r *User, _ error) {
+	return r, ht.ErrNotImplemented
+}
+
+// SessionValidate implements sessionValidate operation.
+//
+// Ask if the current session is valid.
+//
+// GET /session/validate
+func (UnimplementedHandler) SessionValidate(ctx context.Context) (r bool, _ error) {
 	return r, ht.ErrNotImplemented
 }

 // SetSubmissionCompleted implements setSubmissionCompleted operation.
 //
-// Retrieve map with ID.
+// Called by maptest when a player completes the map.
 //
 // POST /submissions/{SubmissionID}/completed
 func (UnimplementedHandler) SetSubmissionCompleted(ctx context.Context, params SetSubmissionCompletedParams) error {
@@ -206,7 +251,7 @@ func (UnimplementedHandler) UpdateScript(ctx context.Context, req *ScriptUpdate,
 //
 // Update the specified script policy by ID.
 //
-// POST /script-policy/id/{ScriptPolicyID}
+// POST /script-policy/{ScriptPolicyID}
 func (UnimplementedHandler) UpdateScriptPolicy(ctx context.Context, req *ScriptPolicyUpdate, params UpdateScriptPolicyParams) error {
 	return ht.ErrNotImplemented
 }
--- a/pkg/api/oas_validators_gen.go
+++ b/pkg/api/oas_validators_gen.go
@@ -8,146 +8,31 @@ import (
 	"github.com/ogen-go/ogen/validate"
 )

-func (s *ListScriptPolicyReq) Validate() error {
-	if s == nil {
-		return validate.ErrNilPointer
-	}
-
-	var failures []validate.FieldError
-	if err := func() error {
-		if err := s.Page.Validate(); err != nil {
-			return err
-		}
-		return nil
-	}(); err != nil {
-		failures = append(failures, validate.FieldError{
-			Name:  "Page",
-			Error: err,
-		})
-	}
-	if err := func() error {
-		if value, ok := s.Filter.Get(); ok {
-			if err := func() error {
-				if err := value.Validate(); err != nil {
-					return err
-				}
-				return nil
-			}(); err != nil {
-				return err
-			}
-		}
-		return nil
-	}(); err != nil {
-		failures = append(failures, validate.FieldError{
-			Name:  "Filter",
-			Error: err,
-		})
-	}
-	if len(failures) > 0 {
-		return &validate.Error{Fields: failures}
-	}
-	return nil
-}
-
-func (s *ListSubmissionsReq) Validate() error {
-	if s == nil {
-		return validate.ErrNilPointer
-	}
-
-	var failures []validate.FieldError
-	if err := func() error {
-		if err := s.Page.Validate(); err != nil {
-			return err
-		}
-		return nil
-	}(); err != nil {
-		failures = append(failures, validate.FieldError{
-			Name:  "Page",
-			Error: err,
-		})
-	}
-	if err := func() error {
-		if value, ok := s.Filter.Get(); ok {
-			if err := func() error {
-				if err := value.Validate(); err != nil {
-					return err
-				}
-				return nil
-			}(); err != nil {
-				return err
-			}
-		}
-		return nil
-	}(); err != nil {
-		failures = append(failures, validate.FieldError{
-			Name:  "Filter",
-			Error: err,
-		})
-	}
-	if len(failures) > 0 {
-		return &validate.Error{Fields: failures}
-	}
-	return nil
-}
-
-func (s *Pagination) Validate() error {
-	if s == nil {
-		return validate.ErrNilPointer
-	}
-
-	var failures []validate.FieldError
-	if err := func() error {
-		if err := (validate.Int{
-			MinSet:        true,
-			Min:           1,
-			MaxSet:        false,
-			Max:           0,
-			MinExclusive:  false,
-			MaxExclusive:  false,
-			MultipleOfSet: false,
-			MultipleOf:    0,
-		}).Validate(int64(s.Page)); err != nil {
-			return errors.Wrap(err, "int")
-		}
-		return nil
-	}(); err != nil {
-		failures = append(failures, validate.FieldError{
-			Name:  "Page",
-			Error: err,
-		})
-	}
-	if err := func() error {
-		if err := (validate.Int{
-			MinSet:        true,
-			Min:           1,
-			MaxSet:        true,
-			Max:           100,
-			MinExclusive:  false,
-			MaxExclusive:  false,
-			MultipleOfSet: false,
-			MultipleOf:    0,
-		}).Validate(int64(s.Limit)); err != nil {
-			return errors.Wrap(err, "int")
-		}
-		return nil
-	}(); err != nil {
-		failures = append(failures, validate.FieldError{
-			Name:  "Limit",
-			Error: err,
-		})
-	}
-	if len(failures) > 0 {
-		return &validate.Error{Fields: failures}
-	}
-	return nil
-}
-
 func (s *Script) Validate() error {
 	if s == nil {
 		return validate.ErrNilPointer
 	}

 	var failures []validate.FieldError
+	if err := func() error {
+		if err := (validate.String{
+			MinLength:    0,
+			MinLengthSet: false,
+			MaxLength:    128,
+			MaxLengthSet: true,
+			Email:        false,
+			Hostname:     false,
+			Regex:        nil,
+		}).Validate(string(s.Name)); err != nil {
+			return errors.Wrap(err, "string")
+		}
+		return nil
+	}(); err != nil {
+		failures = append(failures, validate.FieldError{
+			Name:  "Name",
+			Error: err,
+		})
+	}
 	if err := func() error {
 		if err := (validate.String{
 			MinLength:    16,
@@ -198,6 +83,25 @@ func (s *ScriptCreate) Validate() error {
 	}

 	var failures []validate.FieldError
+	if err := func() error {
+		if err := (validate.String{
+			MinLength:    0,
+			MinLengthSet: false,
+			MaxLength:    128,
+			MaxLengthSet: true,
+			Email:        false,
+			Hostname:     false,
+			Regex:        nil,
+		}).Validate(string(s.Name)); err != nil {
+			return errors.Wrap(err, "string")
+		}
+		return nil
+	}(); err != nil {
+		failures = append(failures, validate.FieldError{
+			Name:  "Name",
+			Error: err,
+		})
+	}
 	if err := func() error {
 		if err := (validate.String{
 			MinLength:    0,
@@ -254,19 +158,19 @@ func (s *ScriptPolicy) Validate() error {
 	return nil
 }

-func (s *ScriptPolicyFilter) Validate() error {
+func (s *ScriptUpdate) Validate() error {
 	if s == nil {
 		return validate.ErrNilPointer
 	}

 	var failures []validate.FieldError
 	if err := func() error {
-		if value, ok := s.FromScriptHash.Get(); ok {
+		if value, ok := s.Name.Get(); ok {
 			if err := func() error {
 				if err := (validate.String{
-					MinLength:    16,
-					MinLengthSet: true,
-					MaxLength:    16,
+					MinLength:    0,
+					MinLengthSet: false,
+					MaxLength:    128,
 					MaxLengthSet: true,
 					Email:        false,
 					Hostname:     false,
@@ -282,22 +186,10 @@ func (s *ScriptPolicyFilter) Validate() error {
 		return nil
 	}(); err != nil {
 		failures = append(failures, validate.FieldError{
-			Name:  "FromScriptHash",
+			Name:  "Name",
 			Error: err,
 		})
 	}
-	if len(failures) > 0 {
-		return &validate.Error{Fields: failures}
-	}
-	return nil
-}
-
-func (s *ScriptUpdate) Validate() error {
-	if s == nil {
-		return validate.ErrNilPointer
-	}
-
-	var failures []validate.FieldError
 	if err := func() error {
 		if value, ok := s.Source.Get(); ok {
 			if err := func() error {
@@ -374,6 +266,25 @@ func (s *Submission) Validate() error {
 			Error: err,
 		})
 	}
+	if err := func() error {
+		if err := (validate.String{
+			MinLength:    0,
+			MinLengthSet: false,
+			MaxLength:    256,
+			MaxLengthSet: true,
+			Email:        false,
+			Hostname:     false,
+			Regex:        nil,
+		}).Validate(string(s.StatusMessage)); err != nil {
+			return errors.Wrap(err, "string")
+		}
+		return nil
+	}(); err != nil {
+		failures = append(failures, validate.FieldError{
+			Name:  "StatusMessage",
+			Error: err,
+		})
+	}
 	if len(failures) > 0 {
 		return &validate.Error{Fields: failures}
 	}
@@ -430,61 +341,47 @@ func (s *SubmissionCreate) Validate() error {
 	return nil
 }

-func (s *SubmissionFilter) Validate() error {
+func (s *User) Validate() error {
 	if s == nil {
 		return validate.ErrNilPointer
 	}

 	var failures []validate.FieldError
 	if err := func() error {
-		if value, ok := s.DisplayName.Get(); ok {
-			if err := func() error {
-				if err := (validate.String{
-					MinLength:    0,
-					MinLengthSet: false,
-					MaxLength:    128,
-					MaxLengthSet: true,
-					Email:        false,
-					Hostname:     false,
-					Regex:        nil,
-				}).Validate(string(value)); err != nil {
-					return errors.Wrap(err, "string")
-				}
-				return nil
-			}(); err != nil {
-				return err
-			}
+		if err := (validate.String{
+			MinLength:    0,
+			MinLengthSet: false,
+			MaxLength:    128,
+			MaxLengthSet: true,
+			Email:        false,
+			Hostname:     false,
+			Regex:        nil,
+		}).Validate(string(s.Username)); err != nil {
+			return errors.Wrap(err, "string")
 		}
 		return nil
 	}(); err != nil {
 		failures = append(failures, validate.FieldError{
-			Name:  "DisplayName",
+			Name:  "Username",
 			Error: err,
 		})
 	}
 	if err := func() error {
-		if value, ok := s.Creator.Get(); ok {
-			if err := func() error {
-				if err := (validate.String{
-					MinLength:    0,
-					MinLengthSet: false,
-					MaxLength:    128,
-					MaxLengthSet: true,
-					Email:        false,
-					Hostname:     false,
-					Regex:        nil,
-				}).Validate(string(value)); err != nil {
-					return errors.Wrap(err, "string")
-				}
-				return nil
-			}(); err != nil {
-				return err
-			}
+		if err := (validate.String{
+			MinLength:    0,
+			MinLengthSet: false,
+			MaxLength:    256,
+			MaxLengthSet: true,
+			Email:        false,
+			Hostname:     false,
+			Regex:        nil,
+		}).Validate(string(s.AvatarURL)); err != nil {
+			return errors.Wrap(err, "string")
 		}
 		return nil
 	}(); err != nil {
 		failures = append(failures, validate.FieldError{
-			Name:  "Creator",
+			Name:  "AvatarURL",
 			Error: err,
 		})
 	}
--- a/pkg/cmds/serve.go
+++ b/pkg/cmds/serve.go
@@ -2,16 +2,20 @@ package cmds

 import (
 	"fmt"
+	"net/http"
+
 	"git.itzana.me/strafesnet/go-grpc/auth"
+	"git.itzana.me/strafesnet/go-grpc/maps"
 	"git.itzana.me/strafesnet/maps-service/pkg/api"
 	"git.itzana.me/strafesnet/maps-service/pkg/datastore/gormstore"
+	internal "git.itzana.me/strafesnet/maps-service/pkg/internal"
 	"git.itzana.me/strafesnet/maps-service/pkg/service"
+	"git.itzana.me/strafesnet/maps-service/pkg/service_internal"
 	"github.com/nats-io/nats.go"
 	log "github.com/sirupsen/logrus"
 	"github.com/urfave/cli/v2"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials/insecure"
-	"net/http"
 )

 func NewServeCommand() *cli.Command {
@@ -62,12 +66,24 @@ func NewServeCommand() *cli.Command {
 				Value:   8080,
 				EnvVars: []string{"PORT"},
 			},
+			&cli.IntFlag{
+				Name:    "port-internal",
+				Usage:   "Port to listen on for internal api",
+				Value:   8081,
+				EnvVars: []string{"PORT_INTERNAL"},
+			},
 			&cli.StringFlag{
 				Name:    "auth-rpc-host",
 				Usage:   "Host of auth rpc",
 				EnvVars: []string{"AUTH_RPC_HOST"},
 				Value:   "auth-service:8090",
 			},
+			&cli.StringFlag{
+				Name:    "data-rpc-host",
+				Usage:   "Host of data rpc",
+				EnvVars: []string{"DATA_RPC_HOST"},
+				Value:   "data-service:9000",
+			},
 			&cli.StringFlag{
 				Name:    "nats-host",
 				Usage:   "Host of nats",
@@ -101,12 +117,18 @@ func serve(ctx *cli.Context) error {
 		log.WithError(err).Fatal("failed to add stream")
 	}

+	// connect to main game database
+	conn, err := grpc.Dial(ctx.String("data-rpc-host"), grpc.WithTransportCredentials(insecure.NewCredentials()))
+	if err != nil {
+		log.Fatal(err)
+	}
 	svc := &service.Service{
 		DB:   db,
 		Nats: js,
+		Client: maps.NewMapsServiceClient(conn),
 	}

-	conn, err := grpc.Dial(ctx.String("auth-rpc-host"), grpc.WithTransportCredentials(insecure.NewCredentials()))
+	conn, err = grpc.Dial(ctx.String("auth-rpc-host"), grpc.WithTransportCredentials(insecure.NewCredentials()))
 	if err != nil {
 		log.Fatal(err)
 	}
@@ -119,5 +141,37 @@ func serve(ctx *cli.Context) error {
 		log.WithError(err).Fatal("failed to initialize api server")
 	}

-	return http.ListenAndServe(fmt.Sprintf(":%d", ctx.Int("port")), srv)
+	svc2 := &service_internal.Service{
+		DB:   db,
+		Nats: js,
+	}
+
+	srv2, err := internal.NewServer(svc2, internal.WithPathPrefix("/v1"))
+	if err != nil {
+		log.WithError(err).Fatal("failed to initialize api server")
+	}
+	// Channel to collect errors
+	errChan := make(chan error, 2)
+
+	// First server
+	go func(errChan chan error) {
+		errChan <- http.ListenAndServe(fmt.Sprintf(":%d", ctx.Int("port-internal")), srv2)
+	}(errChan)
+
+	// Second server
+	go func(errChan chan error) {
+		errChan <- http.ListenAndServe(fmt.Sprintf(":%d", ctx.Int("port")), srv)
+	}(errChan)
+
+	// Wait for the first error or completion of both tasks
+	for i := 0; i < 2; i++ {
+		err := <-errChan
+		if err != nil {
+			fmt.Println("Exiting due to:", err)
+			return err
+		}
+	}
+	log.Println("Both servers have stopped.")
+
+	return nil
 }
--- a/pkg/datastore/datastore.go
+++ b/pkg/datastore/datastore.go
@@ -9,6 +9,16 @@ import (
 var (
 	ErrNotExist        = errors.New("resource does not exist")
 	ErroNoRowsAffected = errors.New("query did not affect any rows")
+	ErrInvalidListSort = errors.New("invalid list sort parameter [1,2,3,4]")
+)
+
+type ListSort uint32
+const (
+	ListSortDisabled ListSort = 0
+	ListSortDisplayNameAscending ListSort = 1
+	ListSortDisplayNameDescending ListSort = 2
+	ListSortDateAscending ListSort = 3
+	ListSortDateDescending ListSort = 4
 )

 type Datastore interface {
@@ -22,10 +32,10 @@ type Submissions interface {
 	GetList(ctx context.Context, id []int64) ([]model.Submission, error)
 	Create(ctx context.Context, smap model.Submission) (model.Submission, error)
 	Update(ctx context.Context, id int64, values OptionalMap) error
-	IfStatusThenUpdate(ctx context.Context, id int64, statuses []model.Status, values OptionalMap) error
-	IfStatusThenUpdateAndGet(ctx context.Context, id int64, statuses []model.Status, values OptionalMap) (model.Submission, error)
+	IfStatusThenUpdate(ctx context.Context, id int64, statuses []model.SubmissionStatus, values OptionalMap) error
+	IfStatusThenUpdateAndGet(ctx context.Context, id int64, statuses []model.SubmissionStatus, values OptionalMap) (model.Submission, error)
 	Delete(ctx context.Context, id int64) error
-	List(ctx context.Context, filters OptionalMap, page model.Page) ([]model.Submission, error)
+	List(ctx context.Context, filters OptionalMap, page model.Page, sort ListSort) ([]model.Submission, error)
 }

 type Scripts interface {
@@ -33,6 +43,7 @@ type Scripts interface {
 	Create(ctx context.Context, smap model.Script) (model.Script, error)
 	Update(ctx context.Context, id int64, values OptionalMap) error
 	Delete(ctx context.Context, id int64) error
+	List(ctx context.Context, filters OptionalMap, page model.Page) ([]model.Script, error)
 }

 type ScriptPolicy interface {
--- a/pkg/datastore/gormstore/script_policy.go
+++ b/pkg/datastore/gormstore/script_policy.go
@@ -19,16 +19,18 @@ func (env *ScriptPolicy) Get(ctx context.Context, id int64) (model.ScriptPolicy,
 		if errors.Is(err, gorm.ErrRecordNotFound) {
 			return mdl, datastore.ErrNotExist
 		}
+		return mdl, err
 	}
 	return mdl, nil
 }

 func (env *ScriptPolicy) GetFromHash(ctx context.Context, hash uint64) (model.ScriptPolicy, error) {
 	var mdl model.ScriptPolicy
-	if err := env.db.Model(&model.ScriptPolicy{}).Where("hash = ?", hash).Error; err != nil {
+	if err := env.db.Take(&mdl,"from_script_hash = ?", hash).Error; err != nil {
 		if errors.Is(err, gorm.ErrRecordNotFound) {
 			return mdl, datastore.ErrNotExist
 		}
+		return mdl, err
 	}
 	return mdl, nil
 }
--- a/pkg/datastore/gormstore/scripts.go
+++ b/pkg/datastore/gormstore/scripts.go
@@ -19,6 +19,7 @@ func (env *Scripts) Get(ctx context.Context, id int64) (model.Script, error) {
 		if errors.Is(err, gorm.ErrRecordNotFound) {
 			return mdl, datastore.ErrNotExist
 		}
+		return mdl, err
 	}
 	return mdl, nil
 }
@@ -52,7 +53,7 @@ func (env *Scripts) Update(ctx context.Context, id int64, values datastore.Optio
 }

 // the update can only occur if the status matches one of the provided values.
-func (env *Scripts) IfStatusThenUpdate(ctx context.Context, id int64, statuses []model.Status, values datastore.OptionalMap) error {
+func (env *Scripts) IfStatusThenUpdate(ctx context.Context, id int64, statuses []model.SubmissionStatus, values datastore.OptionalMap) error {
 	if err := env.db.Model(&model.Script{}).Where("id = ?", id).Where("status IN ?", statuses).Updates(values.Map()).Error; err != nil {
 		if err == gorm.ErrRecordNotFound {
 			return datastore.ErrNotExist
--- a/pkg/datastore/gormstore/submissions.go
+++ b/pkg/datastore/gormstore/submissions.go
@@ -20,6 +20,7 @@ func (env *Submissions) Get(ctx context.Context, id int64) (model.Submission, er
 		if errors.Is(err, gorm.ErrRecordNotFound) {
 			return submission, datastore.ErrNotExist
 		}
+		return submission, err
 	}
 	return submission, nil
 }
@@ -53,7 +54,7 @@ func (env *Submissions) Update(ctx context.Context, id int64, values datastore.O
 }

 // the update can only occur if the status matches one of the provided values.
-func (env *Submissions) IfStatusThenUpdate(ctx context.Context, id int64, statuses []model.Status, values datastore.OptionalMap) error {
+func (env *Submissions) IfStatusThenUpdate(ctx context.Context, id int64, statuses []model.SubmissionStatus, values datastore.OptionalMap) error {
 	if err := env.db.Model(&model.Submission{}).Where("id = ?", id).Where("status_id IN ?", statuses).Updates(values.Map()).Error; err != nil {
 		if err == gorm.ErrRecordNotFound {
 			return datastore.ErrNotExist
@@ -66,7 +67,7 @@ func (env *Submissions) IfStatusThenUpdate(ctx context.Context, id int64, status

 // the update can only occur if the status matches one of the provided values.
 // returns the updated value
-func (env *Submissions) IfStatusThenUpdateAndGet(ctx context.Context, id int64, statuses []model.Status, values datastore.OptionalMap) (model.Submission, error) {
+func (env *Submissions) IfStatusThenUpdateAndGet(ctx context.Context, id int64, statuses []model.SubmissionStatus, values datastore.OptionalMap) (model.Submission, error) {
 	var submission model.Submission
 	result := env.db.Model(&submission).
 		Clauses(clause.Returning{}).
@@ -98,9 +99,32 @@ func (env *Submissions) Delete(ctx context.Context, id int64) error {
 	return nil
 }

-func (env *Submissions) List(ctx context.Context, filters datastore.OptionalMap, page model.Page) ([]model.Submission, error) {
+func (env *Submissions) List(ctx context.Context, filters datastore.OptionalMap, page model.Page, sort datastore.ListSort) ([]model.Submission, error) {
 	var maps []model.Submission
-	if err := env.db.Where(filters.Map()).Offset(int((page.Number - 1) * page.Size)).Limit(int(page.Size)).Find(&maps).Error; err != nil {
+
+	db := env.db
+
+	switch sort {
+	case datastore.ListSortDisabled:
+		// No sort
+		break
+	case datastore.ListSortDisplayNameAscending:
+		db=db.Order("display_name ASC")
+		break
+	case datastore.ListSortDisplayNameDescending:
+		db=db.Order("display_name DESC")
+		break
+	case datastore.ListSortDateAscending:
+		db=db.Order("created_at ASC")
+		break
+	case datastore.ListSortDateDescending:
+		db=db.Order("created_at DESC")
+		break
+	default:
+		return nil, datastore.ErrInvalidListSort
+	}
+
+	if err := db.Where(filters.Map()).Offset(int((page.Number - 1) * page.Size)).Limit(int(page.Size)).Find(&maps).Error; err != nil {
 		return nil, err
 	}

--- a/pkg/internal/oas_cfg_gen.go
+++ b/pkg/internal/oas_cfg_gen.go
@@ -0,0 +1,283 @@
+// Code generated by ogen, DO NOT EDIT.
+
+package api
+
+import (
+	"net/http"
+
+	"go.opentelemetry.io/otel"
+	"go.opentelemetry.io/otel/metric"
+	"go.opentelemetry.io/otel/trace"
+
+	ht "github.com/ogen-go/ogen/http"
+	"github.com/ogen-go/ogen/middleware"
+	"github.com/ogen-go/ogen/ogenerrors"
+	"github.com/ogen-go/ogen/otelogen"
+)
+
+var (
+	// Allocate option closure once.
+	clientSpanKind = trace.WithSpanKind(trace.SpanKindClient)
+	// Allocate option closure once.
+	serverSpanKind = trace.WithSpanKind(trace.SpanKindServer)
+)
+
+type (
+	optionFunc[C any] func(*C)
+	otelOptionFunc    func(*otelConfig)
+)
+
+type otelConfig struct {
+	TracerProvider trace.TracerProvider
+	Tracer         trace.Tracer
+	MeterProvider  metric.MeterProvider
+	Meter          metric.Meter
+}
+
+func (cfg *otelConfig) initOTEL() {
+	if cfg.TracerProvider == nil {
+		cfg.TracerProvider = otel.GetTracerProvider()
+	}
+	if cfg.MeterProvider == nil {
+		cfg.MeterProvider = otel.GetMeterProvider()
+	}
+	cfg.Tracer = cfg.TracerProvider.Tracer(otelogen.Name,
+		trace.WithInstrumentationVersion(otelogen.SemVersion()),
+	)
+	cfg.Meter = cfg.MeterProvider.Meter(otelogen.Name,
+		metric.WithInstrumentationVersion(otelogen.SemVersion()),
+	)
+}
+
+// ErrorHandler is error handler.
+type ErrorHandler = ogenerrors.ErrorHandler
+
+type serverConfig struct {
+	otelConfig
+	NotFound           http.HandlerFunc
+	MethodNotAllowed   func(w http.ResponseWriter, r *http.Request, allowed string)
+	ErrorHandler       ErrorHandler
+	Prefix             string
+	Middleware         Middleware
+	MaxMultipartMemory int64
+}
+
+// ServerOption is server config option.
+type ServerOption interface {
+	applyServer(*serverConfig)
+}
+
+var _ ServerOption = (optionFunc[serverConfig])(nil)
+
+func (o optionFunc[C]) applyServer(c *C) {
+	o(c)
+}
+
+var _ ServerOption = (otelOptionFunc)(nil)
+
+func (o otelOptionFunc) applyServer(c *serverConfig) {
+	o(&c.otelConfig)
+}
+
+func newServerConfig(opts ...ServerOption) serverConfig {
+	cfg := serverConfig{
+		NotFound: http.NotFound,
+		MethodNotAllowed: func(w http.ResponseWriter, r *http.Request, allowed string) {
+			status := http.StatusMethodNotAllowed
+			if r.Method == "OPTIONS" {
+				w.Header().Set("Access-Control-Allow-Methods", allowed)
+				w.Header().Set("Access-Control-Allow-Headers", "Content-Type")
+				status = http.StatusNoContent
+			} else {
+				w.Header().Set("Allow", allowed)
+			}
+			w.WriteHeader(status)
+		},
+		ErrorHandler:       ogenerrors.DefaultErrorHandler,
+		Middleware:         nil,
+		MaxMultipartMemory: 32 << 20, // 32 MB
+	}
+	for _, opt := range opts {
+		opt.applyServer(&cfg)
+	}
+	cfg.initOTEL()
+	return cfg
+}
+
+type baseServer struct {
+	cfg      serverConfig
+	requests metric.Int64Counter
+	errors   metric.Int64Counter
+	duration metric.Float64Histogram
+}
+
+func (s baseServer) notFound(w http.ResponseWriter, r *http.Request) {
+	s.cfg.NotFound(w, r)
+}
+
+func (s baseServer) notAllowed(w http.ResponseWriter, r *http.Request, allowed string) {
+	s.cfg.MethodNotAllowed(w, r, allowed)
+}
+
+func (cfg serverConfig) baseServer() (s baseServer, err error) {
+	s = baseServer{cfg: cfg}
+	if s.requests, err = otelogen.ServerRequestCountCounter(s.cfg.Meter); err != nil {
+		return s, err
+	}
+	if s.errors, err = otelogen.ServerErrorsCountCounter(s.cfg.Meter); err != nil {
+		return s, err
+	}
+	if s.duration, err = otelogen.ServerDurationHistogram(s.cfg.Meter); err != nil {
+		return s, err
+	}
+	return s, nil
+}
+
+type clientConfig struct {
+	otelConfig
+	Client ht.Client
+}
+
+// ClientOption is client config option.
+type ClientOption interface {
+	applyClient(*clientConfig)
+}
+
+var _ ClientOption = (optionFunc[clientConfig])(nil)
+
+func (o optionFunc[C]) applyClient(c *C) {
+	o(c)
+}
+
+var _ ClientOption = (otelOptionFunc)(nil)
+
+func (o otelOptionFunc) applyClient(c *clientConfig) {
+	o(&c.otelConfig)
+}
+
+func newClientConfig(opts ...ClientOption) clientConfig {
+	cfg := clientConfig{
+		Client: http.DefaultClient,
+	}
+	for _, opt := range opts {
+		opt.applyClient(&cfg)
+	}
+	cfg.initOTEL()
+	return cfg
+}
+
+type baseClient struct {
+	cfg      clientConfig
+	requests metric.Int64Counter
+	errors   metric.Int64Counter
+	duration metric.Float64Histogram
+}
+
+func (cfg clientConfig) baseClient() (c baseClient, err error) {
+	c = baseClient{cfg: cfg}
+	if c.requests, err = otelogen.ClientRequestCountCounter(c.cfg.Meter); err != nil {
+		return c, err
+	}
+	if c.errors, err = otelogen.ClientErrorsCountCounter(c.cfg.Meter); err != nil {
+		return c, err
+	}
+	if c.duration, err = otelogen.ClientDurationHistogram(c.cfg.Meter); err != nil {
+		return c, err
+	}
+	return c, nil
+}
+
+// Option is config option.
+type Option interface {
+	ServerOption
+	ClientOption
+}
+
+// WithTracerProvider specifies a tracer provider to use for creating a tracer.
+//
+// If none is specified, the global provider is used.
+func WithTracerProvider(provider trace.TracerProvider) Option {
+	return otelOptionFunc(func(cfg *otelConfig) {
+		if provider != nil {
+			cfg.TracerProvider = provider
+		}
+	})
+}
+
+// WithMeterProvider specifies a meter provider to use for creating a meter.
+//
+// If none is specified, the otel.GetMeterProvider() is used.
+func WithMeterProvider(provider metric.MeterProvider) Option {
+	return otelOptionFunc(func(cfg *otelConfig) {
+		if provider != nil {
+			cfg.MeterProvider = provider
+		}
+	})
+}
+
+// WithClient specifies http client to use.
+func WithClient(client ht.Client) ClientOption {
+	return optionFunc[clientConfig](func(cfg *clientConfig) {
+		if client != nil {
+			cfg.Client = client
+		}
+	})
+}
+
+// WithNotFound specifies Not Found handler to use.
+func WithNotFound(notFound http.HandlerFunc) ServerOption {
+	return optionFunc[serverConfig](func(cfg *serverConfig) {
+		if notFound != nil {
+			cfg.NotFound = notFound
+		}
+	})
+}
+
+// WithMethodNotAllowed specifies Method Not Allowed handler to use.
+func WithMethodNotAllowed(methodNotAllowed func(w http.ResponseWriter, r *http.Request, allowed string)) ServerOption {
+	return optionFunc[serverConfig](func(cfg *serverConfig) {
+		if methodNotAllowed != nil {
+			cfg.MethodNotAllowed = methodNotAllowed
+		}
+	})
+}
+
+// WithErrorHandler specifies error handler to use.
+func WithErrorHandler(h ErrorHandler) ServerOption {
+	return optionFunc[serverConfig](func(cfg *serverConfig) {
+		if h != nil {
+			cfg.ErrorHandler = h
+		}
+	})
+}
+
+// WithPathPrefix specifies server path prefix.
+func WithPathPrefix(prefix string) ServerOption {
+	return optionFunc[serverConfig](func(cfg *serverConfig) {
+		cfg.Prefix = prefix
+	})
+}
+
+// WithMiddleware specifies middlewares to use.
+func WithMiddleware(m ...Middleware) ServerOption {
+	return optionFunc[serverConfig](func(cfg *serverConfig) {
+		switch len(m) {
+		case 0:
+			cfg.Middleware = nil
+		case 1:
+			cfg.Middleware = m[0]
+		default:
+			cfg.Middleware = middleware.ChainMiddlewares(m...)
+		}
+	})
+}
+
+// WithMaxMultipartMemory specifies limit of memory for storing file parts.
+// File parts which can't be stored in memory will be stored on disk in temporary files.
+func WithMaxMultipartMemory(max int64) ServerOption {
+	return optionFunc[serverConfig](func(cfg *serverConfig) {
+		if max > 0 {
+			cfg.MaxMultipartMemory = max
+		}
+	})
+}
--- a/pkg/internal/oas_client_gen.go
+++ b/pkg/internal/oas_client_gen.go
--- a/pkg/internal/oas_handlers_gen.go
+++ b/pkg/internal/oas_handlers_gen.go
--- a/pkg/internal/oas_json_gen.go
+++ b/pkg/internal/oas_json_gen.go
@@ -0,0 +1,862 @@
+// Code generated by ogen, DO NOT EDIT.
+
+package api
+
+import (
+	"math/bits"
+	"strconv"
+
+	"github.com/go-faster/errors"
+	"github.com/go-faster/jx"
+
+	"github.com/ogen-go/ogen/validate"
+)
+
+// Encode implements json.Marshaler.
+func (s *Error) Encode(e *jx.Encoder) {
+	e.ObjStart()
+	s.encodeFields(e)
+	e.ObjEnd()
+}
+
+// encodeFields encodes fields.
+func (s *Error) encodeFields(e *jx.Encoder) {
+	{
+		e.FieldStart("code")
+		e.Int64(s.Code)
+	}
+	{
+		e.FieldStart("message")
+		e.Str(s.Message)
+	}
+}
+
+var jsonFieldsNameOfError = [2]string{
+	0: "code",
+	1: "message",
+}
+
+// Decode decodes Error from json.
+func (s *Error) Decode(d *jx.Decoder) error {
+	if s == nil {
+		return errors.New("invalid: unable to decode Error to nil")
+	}
+	var requiredBitSet [1]uint8
+
+	if err := d.ObjBytes(func(d *jx.Decoder, k []byte) error {
+		switch string(k) {
+		case "code":
+			requiredBitSet[0] |= 1 << 0
+			if err := func() error {
+				v, err := d.Int64()
+				s.Code = int64(v)
+				if err != nil {
+					return err
+				}
+				return nil
+			}(); err != nil {
+				return errors.Wrap(err, "decode field \"code\"")
+			}
+		case "message":
+			requiredBitSet[0] |= 1 << 1
+			if err := func() error {
+				v, err := d.Str()
+				s.Message = string(v)
+				if err != nil {
+					return err
+				}
+				return nil
+			}(); err != nil {
+				return errors.Wrap(err, "decode field \"message\"")
+			}
+		default:
+			return d.Skip()
+		}
+		return nil
+	}); err != nil {
+		return errors.Wrap(err, "decode Error")
+	}
+	// Validate required fields.
+	var failures []validate.FieldError
+	for i, mask := range [1]uint8{
+		0b00000011,
+	} {
+		if result := (requiredBitSet[i] & mask) ^ mask; result != 0 {
+			// Mask only required fields and check equality to mask using XOR.
+			//
+			// If XOR result is not zero, result is not equal to expected, so some fields are missed.
+			// Bits of fields which would be set are actually bits of missed fields.
+			missed := bits.OnesCount8(result)
+			for bitN := 0; bitN < missed; bitN++ {
+				bitIdx := bits.TrailingZeros8(result)
+				fieldIdx := i*8 + bitIdx
+				var name string
+				if fieldIdx < len(jsonFieldsNameOfError) {
+					name = jsonFieldsNameOfError[fieldIdx]
+				} else {
+					name = strconv.Itoa(fieldIdx)
+				}
+				failures = append(failures, validate.FieldError{
+					Name:  name,
+					Error: validate.ErrFieldRequired,
+				})
+				// Reset bit.
+				result &^= 1 << bitIdx
+			}
+		}
+	}
+	if len(failures) > 0 {
+		return &validate.Error{Fields: failures}
+	}
+
+	return nil
+}
+
+// MarshalJSON implements stdjson.Marshaler.
+func (s *Error) MarshalJSON() ([]byte, error) {
+	e := jx.Encoder{}
+	s.Encode(&e)
+	return e.Bytes(), nil
+}
+
+// UnmarshalJSON implements stdjson.Unmarshaler.
+func (s *Error) UnmarshalJSON(data []byte) error {
+	d := jx.DecodeBytes(data)
+	return s.Decode(d)
+}
+
+// Encode implements json.Marshaler.
+func (s *ID) Encode(e *jx.Encoder) {
+	e.ObjStart()
+	s.encodeFields(e)
+	e.ObjEnd()
+}
+
+// encodeFields encodes fields.
+func (s *ID) encodeFields(e *jx.Encoder) {
+	{
+		e.FieldStart("ID")
+		e.Int64(s.ID)
+	}
+}
+
+var jsonFieldsNameOfID = [1]string{
+	0: "ID",
+}
+
+// Decode decodes ID from json.
+func (s *ID) Decode(d *jx.Decoder) error {
+	if s == nil {
+		return errors.New("invalid: unable to decode ID to nil")
+	}
+	var requiredBitSet [1]uint8
+
+	if err := d.ObjBytes(func(d *jx.Decoder, k []byte) error {
+		switch string(k) {
+		case "ID":
+			requiredBitSet[0] |= 1 << 0
+			if err := func() error {
+				v, err := d.Int64()
+				s.ID = int64(v)
+				if err != nil {
+					return err
+				}
+				return nil
+			}(); err != nil {
+				return errors.Wrap(err, "decode field \"ID\"")
+			}
+		default:
+			return d.Skip()
+		}
+		return nil
+	}); err != nil {
+		return errors.Wrap(err, "decode ID")
+	}
+	// Validate required fields.
+	var failures []validate.FieldError
+	for i, mask := range [1]uint8{
+		0b00000001,
+	} {
+		if result := (requiredBitSet[i] & mask) ^ mask; result != 0 {
+			// Mask only required fields and check equality to mask using XOR.
+			//
+			// If XOR result is not zero, result is not equal to expected, so some fields are missed.
+			// Bits of fields which would be set are actually bits of missed fields.
+			missed := bits.OnesCount8(result)
+			for bitN := 0; bitN < missed; bitN++ {
+				bitIdx := bits.TrailingZeros8(result)
+				fieldIdx := i*8 + bitIdx
+				var name string
+				if fieldIdx < len(jsonFieldsNameOfID) {
+					name = jsonFieldsNameOfID[fieldIdx]
+				} else {
+					name = strconv.Itoa(fieldIdx)
+				}
+				failures = append(failures, validate.FieldError{
+					Name:  name,
+					Error: validate.ErrFieldRequired,
+				})
+				// Reset bit.
+				result &^= 1 << bitIdx
+			}
+		}
+	}
+	if len(failures) > 0 {
+		return &validate.Error{Fields: failures}
+	}
+
+	return nil
+}
+
+// MarshalJSON implements stdjson.Marshaler.
+func (s *ID) MarshalJSON() ([]byte, error) {
+	e := jx.Encoder{}
+	s.Encode(&e)
+	return e.Bytes(), nil
+}
+
+// UnmarshalJSON implements stdjson.Unmarshaler.
+func (s *ID) UnmarshalJSON(data []byte) error {
+	d := jx.DecodeBytes(data)
+	return s.Decode(d)
+}
+
+// Encode encodes int64 as json.
+func (o OptInt64) Encode(e *jx.Encoder) {
+	if !o.Set {
+		return
+	}
+	e.Int64(int64(o.Value))
+}
+
+// Decode decodes int64 from json.
+func (o *OptInt64) Decode(d *jx.Decoder) error {
+	if o == nil {
+		return errors.New("invalid: unable to decode OptInt64 to nil")
+	}
+	o.Set = true
+	v, err := d.Int64()
+	if err != nil {
+		return err
+	}
+	o.Value = int64(v)
+	return nil
+}
+
+// MarshalJSON implements stdjson.Marshaler.
+func (s OptInt64) MarshalJSON() ([]byte, error) {
+	e := jx.Encoder{}
+	s.Encode(&e)
+	return e.Bytes(), nil
+}
+
+// UnmarshalJSON implements stdjson.Unmarshaler.
+func (s *OptInt64) UnmarshalJSON(data []byte) error {
+	d := jx.DecodeBytes(data)
+	return s.Decode(d)
+}
+
+// Encode implements json.Marshaler.
+func (s *Script) Encode(e *jx.Encoder) {
+	e.ObjStart()
+	s.encodeFields(e)
+	e.ObjEnd()
+}
+
+// encodeFields encodes fields.
+func (s *Script) encodeFields(e *jx.Encoder) {
+	{
+		e.FieldStart("ID")
+		e.Int64(s.ID)
+	}
+	{
+		e.FieldStart("Name")
+		e.Str(s.Name)
+	}
+	{
+		e.FieldStart("Hash")
+		e.Str(s.Hash)
+	}
+	{
+		e.FieldStart("Source")
+		e.Str(s.Source)
+	}
+	{
+		e.FieldStart("ResourceType")
+		e.Int32(s.ResourceType)
+	}
+	{
+		e.FieldStart("ResourceID")
+		e.Int64(s.ResourceID)
+	}
+}
+
+var jsonFieldsNameOfScript = [6]string{
+	0: "ID",
+	1: "Name",
+	2: "Hash",
+	3: "Source",
+	4: "ResourceType",
+	5: "ResourceID",
+}
+
+// Decode decodes Script from json.
+func (s *Script) Decode(d *jx.Decoder) error {
+	if s == nil {
+		return errors.New("invalid: unable to decode Script to nil")
+	}
+	var requiredBitSet [1]uint8
+
+	if err := d.ObjBytes(func(d *jx.Decoder, k []byte) error {
+		switch string(k) {
+		case "ID":
+			requiredBitSet[0] |= 1 << 0
+			if err := func() error {
+				v, err := d.Int64()
+				s.ID = int64(v)
+				if err != nil {
+					return err
+				}
+				return nil
+			}(); err != nil {
+				return errors.Wrap(err, "decode field \"ID\"")
+			}
+		case "Name":
+			requiredBitSet[0] |= 1 << 1
+			if err := func() error {
+				v, err := d.Str()
+				s.Name = string(v)
+				if err != nil {
+					return err
+				}
+				return nil
+			}(); err != nil {
+				return errors.Wrap(err, "decode field \"Name\"")
+			}
+		case "Hash":
+			requiredBitSet[0] |= 1 << 2
+			if err := func() error {
+				v, err := d.Str()
+				s.Hash = string(v)
+				if err != nil {
+					return err
+				}
+				return nil
+			}(); err != nil {
+				return errors.Wrap(err, "decode field \"Hash\"")
+			}
+		case "Source":
+			requiredBitSet[0] |= 1 << 3
+			if err := func() error {
+				v, err := d.Str()
+				s.Source = string(v)
+				if err != nil {
+					return err
+				}
+				return nil
+			}(); err != nil {
+				return errors.Wrap(err, "decode field \"Source\"")
+			}
+		case "ResourceType":
+			requiredBitSet[0] |= 1 << 4
+			if err := func() error {
+				v, err := d.Int32()
+				s.ResourceType = int32(v)
+				if err != nil {
+					return err
+				}
+				return nil
+			}(); err != nil {
+				return errors.Wrap(err, "decode field \"ResourceType\"")
+			}
+		case "ResourceID":
+			requiredBitSet[0] |= 1 << 5
+			if err := func() error {
+				v, err := d.Int64()
+				s.ResourceID = int64(v)
+				if err != nil {
+					return err
+				}
+				return nil
+			}(); err != nil {
+				return errors.Wrap(err, "decode field \"ResourceID\"")
+			}
+		default:
+			return d.Skip()
+		}
+		return nil
+	}); err != nil {
+		return errors.Wrap(err, "decode Script")
+	}
+	// Validate required fields.
+	var failures []validate.FieldError
+	for i, mask := range [1]uint8{
+		0b00111111,
+	} {
+		if result := (requiredBitSet[i] & mask) ^ mask; result != 0 {
+			// Mask only required fields and check equality to mask using XOR.
+			//
+			// If XOR result is not zero, result is not equal to expected, so some fields are missed.
+			// Bits of fields which would be set are actually bits of missed fields.
+			missed := bits.OnesCount8(result)
+			for bitN := 0; bitN < missed; bitN++ {
+				bitIdx := bits.TrailingZeros8(result)
+				fieldIdx := i*8 + bitIdx
+				var name string
+				if fieldIdx < len(jsonFieldsNameOfScript) {
+					name = jsonFieldsNameOfScript[fieldIdx]
+				} else {
+					name = strconv.Itoa(fieldIdx)
+				}
+				failures = append(failures, validate.FieldError{
+					Name:  name,
+					Error: validate.ErrFieldRequired,
+				})
+				// Reset bit.
+				result &^= 1 << bitIdx
+			}
+		}
+	}
+	if len(failures) > 0 {
+		return &validate.Error{Fields: failures}
+	}
+
+	return nil
+}
+
+// MarshalJSON implements stdjson.Marshaler.
+func (s *Script) MarshalJSON() ([]byte, error) {
+	e := jx.Encoder{}
+	s.Encode(&e)
+	return e.Bytes(), nil
+}
+
+// UnmarshalJSON implements stdjson.Unmarshaler.
+func (s *Script) UnmarshalJSON(data []byte) error {
+	d := jx.DecodeBytes(data)
+	return s.Decode(d)
+}
+
+// Encode implements json.Marshaler.
+func (s *ScriptCreate) Encode(e *jx.Encoder) {
+	e.ObjStart()
+	s.encodeFields(e)
+	e.ObjEnd()
+}
+
+// encodeFields encodes fields.
+func (s *ScriptCreate) encodeFields(e *jx.Encoder) {
+	{
+		e.FieldStart("Name")
+		e.Str(s.Name)
+	}
+	{
+		e.FieldStart("Source")
+		e.Str(s.Source)
+	}
+	{
+		e.FieldStart("ResourceType")
+		e.Int32(s.ResourceType)
+	}
+	{
+		if s.ResourceID.Set {
+			e.FieldStart("ResourceID")
+			s.ResourceID.Encode(e)
+		}
+	}
+}
+
+var jsonFieldsNameOfScriptCreate = [4]string{
+	0: "Name",
+	1: "Source",
+	2: "ResourceType",
+	3: "ResourceID",
+}
+
+// Decode decodes ScriptCreate from json.
+func (s *ScriptCreate) Decode(d *jx.Decoder) error {
+	if s == nil {
+		return errors.New("invalid: unable to decode ScriptCreate to nil")
+	}
+	var requiredBitSet [1]uint8
+
+	if err := d.ObjBytes(func(d *jx.Decoder, k []byte) error {
+		switch string(k) {
+		case "Name":
+			requiredBitSet[0] |= 1 << 0
+			if err := func() error {
+				v, err := d.Str()
+				s.Name = string(v)
+				if err != nil {
+					return err
+				}
+				return nil
+			}(); err != nil {
+				return errors.Wrap(err, "decode field \"Name\"")
+			}
+		case "Source":
+			requiredBitSet[0] |= 1 << 1
+			if err := func() error {
+				v, err := d.Str()
+				s.Source = string(v)
+				if err != nil {
+					return err
+				}
+				return nil
+			}(); err != nil {
+				return errors.Wrap(err, "decode field \"Source\"")
+			}
+		case "ResourceType":
+			requiredBitSet[0] |= 1 << 2
+			if err := func() error {
+				v, err := d.Int32()
+				s.ResourceType = int32(v)
+				if err != nil {
+					return err
+				}
+				return nil
+			}(); err != nil {
+				return errors.Wrap(err, "decode field \"ResourceType\"")
+			}
+		case "ResourceID":
+			if err := func() error {
+				s.ResourceID.Reset()
+				if err := s.ResourceID.Decode(d); err != nil {
+					return err
+				}
+				return nil
+			}(); err != nil {
+				return errors.Wrap(err, "decode field \"ResourceID\"")
+			}
+		default:
+			return d.Skip()
+		}
+		return nil
+	}); err != nil {
+		return errors.Wrap(err, "decode ScriptCreate")
+	}
+	// Validate required fields.
+	var failures []validate.FieldError
+	for i, mask := range [1]uint8{
+		0b00000111,
+	} {
+		if result := (requiredBitSet[i] & mask) ^ mask; result != 0 {
+			// Mask only required fields and check equality to mask using XOR.
+			//
+			// If XOR result is not zero, result is not equal to expected, so some fields are missed.
+			// Bits of fields which would be set are actually bits of missed fields.
+			missed := bits.OnesCount8(result)
+			for bitN := 0; bitN < missed; bitN++ {
+				bitIdx := bits.TrailingZeros8(result)
+				fieldIdx := i*8 + bitIdx
+				var name string
+				if fieldIdx < len(jsonFieldsNameOfScriptCreate) {
+					name = jsonFieldsNameOfScriptCreate[fieldIdx]
+				} else {
+					name = strconv.Itoa(fieldIdx)
+				}
+				failures = append(failures, validate.FieldError{
+					Name:  name,
+					Error: validate.ErrFieldRequired,
+				})
+				// Reset bit.
+				result &^= 1 << bitIdx
+			}
+		}
+	}
+	if len(failures) > 0 {
+		return &validate.Error{Fields: failures}
+	}
+
+	return nil
+}
+
+// MarshalJSON implements stdjson.Marshaler.
+func (s *ScriptCreate) MarshalJSON() ([]byte, error) {
+	e := jx.Encoder{}
+	s.Encode(&e)
+	return e.Bytes(), nil
+}
+
+// UnmarshalJSON implements stdjson.Unmarshaler.
+func (s *ScriptCreate) UnmarshalJSON(data []byte) error {
+	d := jx.DecodeBytes(data)
+	return s.Decode(d)
+}
+
+// Encode implements json.Marshaler.
+func (s *ScriptPolicy) Encode(e *jx.Encoder) {
+	e.ObjStart()
+	s.encodeFields(e)
+	e.ObjEnd()
+}
+
+// encodeFields encodes fields.
+func (s *ScriptPolicy) encodeFields(e *jx.Encoder) {
+	{
+		e.FieldStart("ID")
+		e.Int64(s.ID)
+	}
+	{
+		e.FieldStart("FromScriptHash")
+		e.Str(s.FromScriptHash)
+	}
+	{
+		e.FieldStart("ToScriptID")
+		e.Int64(s.ToScriptID)
+	}
+	{
+		e.FieldStart("Policy")
+		e.Int32(s.Policy)
+	}
+}
+
+var jsonFieldsNameOfScriptPolicy = [4]string{
+	0: "ID",
+	1: "FromScriptHash",
+	2: "ToScriptID",
+	3: "Policy",
+}
+
+// Decode decodes ScriptPolicy from json.
+func (s *ScriptPolicy) Decode(d *jx.Decoder) error {
+	if s == nil {
+		return errors.New("invalid: unable to decode ScriptPolicy to nil")
+	}
+	var requiredBitSet [1]uint8
+
+	if err := d.ObjBytes(func(d *jx.Decoder, k []byte) error {
+		switch string(k) {
+		case "ID":
+			requiredBitSet[0] |= 1 << 0
+			if err := func() error {
+				v, err := d.Int64()
+				s.ID = int64(v)
+				if err != nil {
+					return err
+				}
+				return nil
+			}(); err != nil {
+				return errors.Wrap(err, "decode field \"ID\"")
+			}
+		case "FromScriptHash":
+			requiredBitSet[0] |= 1 << 1
+			if err := func() error {
+				v, err := d.Str()
+				s.FromScriptHash = string(v)
+				if err != nil {
+					return err
+				}
+				return nil
+			}(); err != nil {
+				return errors.Wrap(err, "decode field \"FromScriptHash\"")
+			}
+		case "ToScriptID":
+			requiredBitSet[0] |= 1 << 2
+			if err := func() error {
+				v, err := d.Int64()
+				s.ToScriptID = int64(v)
+				if err != nil {
+					return err
+				}
+				return nil
+			}(); err != nil {
+				return errors.Wrap(err, "decode field \"ToScriptID\"")
+			}
+		case "Policy":
+			requiredBitSet[0] |= 1 << 3
+			if err := func() error {
+				v, err := d.Int32()
+				s.Policy = int32(v)
+				if err != nil {
+					return err
+				}
+				return nil
+			}(); err != nil {
+				return errors.Wrap(err, "decode field \"Policy\"")
+			}
+		default:
+			return d.Skip()
+		}
+		return nil
+	}); err != nil {
+		return errors.Wrap(err, "decode ScriptPolicy")
+	}
+	// Validate required fields.
+	var failures []validate.FieldError
+	for i, mask := range [1]uint8{
+		0b00001111,
+	} {
+		if result := (requiredBitSet[i] & mask) ^ mask; result != 0 {
+			// Mask only required fields and check equality to mask using XOR.
+			//
+			// If XOR result is not zero, result is not equal to expected, so some fields are missed.
+			// Bits of fields which would be set are actually bits of missed fields.
+			missed := bits.OnesCount8(result)
+			for bitN := 0; bitN < missed; bitN++ {
+				bitIdx := bits.TrailingZeros8(result)
+				fieldIdx := i*8 + bitIdx
+				var name string
+				if fieldIdx < len(jsonFieldsNameOfScriptPolicy) {
+					name = jsonFieldsNameOfScriptPolicy[fieldIdx]
+				} else {
+					name = strconv.Itoa(fieldIdx)
+				}
+				failures = append(failures, validate.FieldError{
+					Name:  name,
+					Error: validate.ErrFieldRequired,
+				})
+				// Reset bit.
+				result &^= 1 << bitIdx
+			}
+		}
+	}
+	if len(failures) > 0 {
+		return &validate.Error{Fields: failures}
+	}
+
+	return nil
+}
+
+// MarshalJSON implements stdjson.Marshaler.
+func (s *ScriptPolicy) MarshalJSON() ([]byte, error) {
+	e := jx.Encoder{}
+	s.Encode(&e)
+	return e.Bytes(), nil
+}
+
+// UnmarshalJSON implements stdjson.Unmarshaler.
+func (s *ScriptPolicy) UnmarshalJSON(data []byte) error {
+	d := jx.DecodeBytes(data)
+	return s.Decode(d)
+}
+
+// Encode implements json.Marshaler.
+func (s *ScriptPolicyCreate) Encode(e *jx.Encoder) {
+	e.ObjStart()
+	s.encodeFields(e)
+	e.ObjEnd()
+}
+
+// encodeFields encodes fields.
+func (s *ScriptPolicyCreate) encodeFields(e *jx.Encoder) {
+	{
+		e.FieldStart("FromScriptID")
+		e.Int64(s.FromScriptID)
+	}
+	{
+		e.FieldStart("ToScriptID")
+		e.Int64(s.ToScriptID)
+	}
+	{
+		e.FieldStart("Policy")
+		e.Int32(s.Policy)
+	}
+}
+
+var jsonFieldsNameOfScriptPolicyCreate = [3]string{
+	0: "FromScriptID",
+	1: "ToScriptID",
+	2: "Policy",
+}
+
+// Decode decodes ScriptPolicyCreate from json.
+func (s *ScriptPolicyCreate) Decode(d *jx.Decoder) error {
+	if s == nil {
+		return errors.New("invalid: unable to decode ScriptPolicyCreate to nil")
+	}
+	var requiredBitSet [1]uint8
+
+	if err := d.ObjBytes(func(d *jx.Decoder, k []byte) error {
+		switch string(k) {
+		case "FromScriptID":
+			requiredBitSet[0] |= 1 << 0
+			if err := func() error {
+				v, err := d.Int64()
+				s.FromScriptID = int64(v)
+				if err != nil {
+					return err
+				}
+				return nil
+			}(); err != nil {
+				return errors.Wrap(err, "decode field \"FromScriptID\"")
+			}
+		case "ToScriptID":
+			requiredBitSet[0] |= 1 << 1
+			if err := func() error {
+				v, err := d.Int64()
+				s.ToScriptID = int64(v)
+				if err != nil {
+					return err
+				}
+				return nil
+			}(); err != nil {
+				return errors.Wrap(err, "decode field \"ToScriptID\"")
+			}
+		case "Policy":
+			requiredBitSet[0] |= 1 << 2
+			if err := func() error {
+				v, err := d.Int32()
+				s.Policy = int32(v)
+				if err != nil {
+					return err
+				}
+				return nil
+			}(); err != nil {
+				return errors.Wrap(err, "decode field \"Policy\"")
+			}
+		default:
+			return d.Skip()
+		}
+		return nil
+	}); err != nil {
+		return errors.Wrap(err, "decode ScriptPolicyCreate")
+	}
+	// Validate required fields.
+	var failures []validate.FieldError
+	for i, mask := range [1]uint8{
+		0b00000111,
+	} {
+		if result := (requiredBitSet[i] & mask) ^ mask; result != 0 {
+			// Mask only required fields and check equality to mask using XOR.
+			//
+			// If XOR result is not zero, result is not equal to expected, so some fields are missed.
+			// Bits of fields which would be set are actually bits of missed fields.
+			missed := bits.OnesCount8(result)
+			for bitN := 0; bitN < missed; bitN++ {
+				bitIdx := bits.TrailingZeros8(result)
+				fieldIdx := i*8 + bitIdx
+				var name string
+				if fieldIdx < len(jsonFieldsNameOfScriptPolicyCreate) {
+					name = jsonFieldsNameOfScriptPolicyCreate[fieldIdx]
+				} else {
+					name = strconv.Itoa(fieldIdx)
+				}
+				failures = append(failures, validate.FieldError{
+					Name:  name,
+					Error: validate.ErrFieldRequired,
+				})
+				// Reset bit.
+				result &^= 1 << bitIdx
+			}
+		}
+	}
+	if len(failures) > 0 {
+		return &validate.Error{Fields: failures}
+	}
+
+	return nil
+}
+
+// MarshalJSON implements stdjson.Marshaler.
+func (s *ScriptPolicyCreate) MarshalJSON() ([]byte, error) {
+	e := jx.Encoder{}
+	s.Encode(&e)
+	return e.Bytes(), nil
+}
+
+// UnmarshalJSON implements stdjson.Unmarshaler.
+func (s *ScriptPolicyCreate) UnmarshalJSON(data []byte) error {
+	d := jx.DecodeBytes(data)
+	return s.Decode(d)
+}
--- a/pkg/internal/oas_labeler_gen.go
+++ b/pkg/internal/oas_labeler_gen.go
@@ -0,0 +1,42 @@
+// Code generated by ogen, DO NOT EDIT.
+
+package api
+
+import (
+	"context"
+
+	"go.opentelemetry.io/otel/attribute"
+)
+
+// Labeler is used to allow adding custom attributes to the server request metrics.
+type Labeler struct {
+	attrs []attribute.KeyValue
+}
+
+// Add attributes to the Labeler.
+func (l *Labeler) Add(attrs ...attribute.KeyValue) {
+	l.attrs = append(l.attrs, attrs...)
+}
+
+// AttributeSet returns the attributes added to the Labeler as an attribute.Set.
+func (l *Labeler) AttributeSet() attribute.Set {
+	return attribute.NewSet(l.attrs...)
+}
+
+type labelerContextKey struct{}
+
+// LabelerFromContext retrieves the Labeler from the provided context, if present.
+//
+// If no Labeler was found in the provided context a new, empty Labeler is returned and the second
+// return value is false. In this case it is safe to use the Labeler but any attributes added to
+// it will not be used.
+func LabelerFromContext(ctx context.Context) (*Labeler, bool) {
+	if l, ok := ctx.Value(labelerContextKey{}).(*Labeler); ok {
+		return l, true
+	}
+	return &Labeler{}, false
+}
+
+func contextWithLabeler(ctx context.Context, l *Labeler) context.Context {
+	return context.WithValue(ctx, labelerContextKey{}, l)
+}
--- a/pkg/internal/oas_middleware_gen.go
+++ b/pkg/internal/oas_middleware_gen.go
@@ -0,0 +1,10 @@
+// Code generated by ogen, DO NOT EDIT.
+
+package api
+
+import (
+	"github.com/ogen-go/ogen/middleware"
+)
+
+// Middleware is middleware type.
+type Middleware = middleware.Middleware
--- a/pkg/internal/oas_operations_gen.go
+++ b/pkg/internal/oas_operations_gen.go
@@ -0,0 +1,18 @@
+// Code generated by ogen, DO NOT EDIT.
+
+package api
+
+// OperationName is the ogen operation name
+type OperationName = string
+
+const (
+	ActionSubmissionAcceptedOperation       OperationName = "ActionSubmissionAccepted"
+	ActionSubmissionUploadedOperation       OperationName = "ActionSubmissionUploaded"
+	ActionSubmissionValidatedOperation      OperationName = "ActionSubmissionValidated"
+	CreateScriptOperation                   OperationName = "CreateScript"
+	CreateScriptPolicyOperation             OperationName = "CreateScriptPolicy"
+	GetScriptOperation                      OperationName = "GetScript"
+	ListScriptPolicyOperation               OperationName = "ListScriptPolicy"
+	ListScriptsOperation                    OperationName = "ListScripts"
+	UpdateSubmissionValidatedModelOperation OperationName = "UpdateSubmissionValidatedModel"
+)
--- a/pkg/internal/oas_parameters_gen.go
+++ b/pkg/internal/oas_parameters_gen.go
--- a/pkg/internal/oas_request_decoders_gen.go
+++ b/pkg/internal/oas_request_decoders_gen.go
@@ -0,0 +1,150 @@
+// Code generated by ogen, DO NOT EDIT.
+
+package api
+
+import (
+	"io"
+	"mime"
+	"net/http"
+
+	"github.com/go-faster/errors"
+	"github.com/go-faster/jx"
+	"go.uber.org/multierr"
+
+	"github.com/ogen-go/ogen/ogenerrors"
+	"github.com/ogen-go/ogen/validate"
+)
+
+func (s *Server) decodeCreateScriptRequest(r *http.Request) (
+	req *ScriptCreate,
+	close func() error,
+	rerr error,
+) {
+	var closers []func() error
+	close = func() error {
+		var merr error
+		// Close in reverse order, to match defer behavior.
+		for i := len(closers) - 1; i >= 0; i-- {
+			c := closers[i]
+			merr = multierr.Append(merr, c())
+		}
+		return merr
+	}
+	defer func() {
+		if rerr != nil {
+			rerr = multierr.Append(rerr, close())
+		}
+	}()
+	ct, _, err := mime.ParseMediaType(r.Header.Get("Content-Type"))
+	if err != nil {
+		return req, close, errors.Wrap(err, "parse media type")
+	}
+	switch {
+	case ct == "application/json":
+		if r.ContentLength == 0 {
+			return req, close, validate.ErrBodyRequired
+		}
+		buf, err := io.ReadAll(r.Body)
+		if err != nil {
+			return req, close, err
+		}
+
+		if len(buf) == 0 {
+			return req, close, validate.ErrBodyRequired
+		}
+
+		d := jx.DecodeBytes(buf)
+
+		var request ScriptCreate
+		if err := func() error {
+			if err := request.Decode(d); err != nil {
+				return err
+			}
+			if err := d.Skip(); err != io.EOF {
+				return errors.New("unexpected trailing data")
+			}
+			return nil
+		}(); err != nil {
+			err = &ogenerrors.DecodeBodyError{
+				ContentType: ct,
+				Body:        buf,
+				Err:         err,
+			}
+			return req, close, err
+		}
+		if err := func() error {
+			if err := request.Validate(); err != nil {
+				return err
+			}
+			return nil
+		}(); err != nil {
+			return req, close, errors.Wrap(err, "validate")
+		}
+		return &request, close, nil
+	default:
+		return req, close, validate.InvalidContentType(ct)
+	}
+}
+
+func (s *Server) decodeCreateScriptPolicyRequest(r *http.Request) (
+	req *ScriptPolicyCreate,
+	close func() error,
+	rerr error,
+) {
+	var closers []func() error
+	close = func() error {
+		var merr error
+		// Close in reverse order, to match defer behavior.
+		for i := len(closers) - 1; i >= 0; i-- {
+			c := closers[i]
+			merr = multierr.Append(merr, c())
+		}
+		return merr
+	}
+	defer func() {
+		if rerr != nil {
+			rerr = multierr.Append(rerr, close())
+		}
+	}()
+	ct, _, err := mime.ParseMediaType(r.Header.Get("Content-Type"))
+	if err != nil {
+		return req, close, errors.Wrap(err, "parse media type")
+	}
+	switch {
+	case ct == "application/json":
+		if r.ContentLength == 0 {
+			return req, close, validate.ErrBodyRequired
+		}
+		buf, err := io.ReadAll(r.Body)
+		if err != nil {
+			return req, close, err
+		}
+
+		if len(buf) == 0 {
+			return req, close, validate.ErrBodyRequired
+		}
+
+		d := jx.DecodeBytes(buf)
+
+		var request ScriptPolicyCreate
+		if err := func() error {
+			if err := request.Decode(d); err != nil {
+				return err
+			}
+			if err := d.Skip(); err != io.EOF {
+				return errors.New("unexpected trailing data")
+			}
+			return nil
+		}(); err != nil {
+			err = &ogenerrors.DecodeBodyError{
+				ContentType: ct,
+				Body:        buf,
+				Err:         err,
+			}
+			return req, close, err
+		}
+		return &request, close, nil
+	default:
+		return req, close, validate.InvalidContentType(ct)
+	}
+}
--- a/pkg/internal/oas_request_encoders_gen.go
+++ b/pkg/internal/oas_request_encoders_gen.go
@@ -0,0 +1,40 @@
+// Code generated by ogen, DO NOT EDIT.
+
+package api
+
+import (
+	"bytes"
+	"net/http"
+
+	"github.com/go-faster/jx"
+
+	ht "github.com/ogen-go/ogen/http"
+)
+
+func encodeCreateScriptRequest(
+	req *ScriptCreate,
+	r *http.Request,
+) error {
+	const contentType = "application/json"
+	e := new(jx.Encoder)
+	{
+		req.Encode(e)
+	}
+	encoded := e.Bytes()
+	ht.SetBody(r, bytes.NewReader(encoded), contentType)
+	return nil
+}
+
+func encodeCreateScriptPolicyRequest(
+	req *ScriptPolicyCreate,
+	r *http.Request,
+) error {
+	const contentType = "application/json"
+	e := new(jx.Encoder)
+	{
+		req.Encode(e)
+	}
+	encoded := e.Bytes()
+	ht.SetBody(r, bytes.NewReader(encoded), contentType)
+	return nil
+}
--- a/pkg/internal/oas_response_decoders_gen.go
+++ b/pkg/internal/oas_response_decoders_gen.go
@@ -0,0 +1,712 @@
+// Code generated by ogen, DO NOT EDIT.
+
+package api
+
+import (
+	"fmt"
+	"io"
+	"mime"
+	"net/http"
+
+	"github.com/go-faster/errors"
+	"github.com/go-faster/jx"
+
+	"github.com/ogen-go/ogen/ogenerrors"
+	"github.com/ogen-go/ogen/validate"
+)
+
+func decodeActionSubmissionAcceptedResponse(resp *http.Response) (res *ActionSubmissionAcceptedNoContent, _ error) {
+	switch resp.StatusCode {
+	case 204:
+		// Code 204.
+		return &ActionSubmissionAcceptedNoContent{}, nil
+	}
+	// Convenient error response.
+	defRes, err := func() (res *ErrorStatusCode, err error) {
+		ct, _, err := mime.ParseMediaType(resp.Header.Get("Content-Type"))
+		if err != nil {
+			return res, errors.Wrap(err, "parse media type")
+		}
+		switch {
+		case ct == "application/json":
+			buf, err := io.ReadAll(resp.Body)
+			if err != nil {
+				return res, err
+			}
+			d := jx.DecodeBytes(buf)
+
+			var response Error
+			if err := func() error {
+				if err := response.Decode(d); err != nil {
+					return err
+				}
+				if err := d.Skip(); err != io.EOF {
+					return errors.New("unexpected trailing data")
+				}
+				return nil
+			}(); err != nil {
+				err = &ogenerrors.DecodeBodyError{
+					ContentType: ct,
+					Body:        buf,
+					Err:         err,
+				}
+				return res, err
+			}
+			return &ErrorStatusCode{
+				StatusCode: resp.StatusCode,
+				Response:   response,
+			}, nil
+		default:
+			return res, validate.InvalidContentType(ct)
+		}
+	}()
+	if err != nil {
+		return res, errors.Wrapf(err, "default (code %d)", resp.StatusCode)
+	}
+	return res, errors.Wrap(defRes, "error")
+}
+
+func decodeActionSubmissionUploadedResponse(resp *http.Response) (res *ActionSubmissionUploadedNoContent, _ error) {
+	switch resp.StatusCode {
+	case 204:
+		// Code 204.
+		return &ActionSubmissionUploadedNoContent{}, nil
+	}
+	// Convenient error response.
+	defRes, err := func() (res *ErrorStatusCode, err error) {
+		ct, _, err := mime.ParseMediaType(resp.Header.Get("Content-Type"))
+		if err != nil {
+			return res, errors.Wrap(err, "parse media type")
+		}
+		switch {
+		case ct == "application/json":
+			buf, err := io.ReadAll(resp.Body)
+			if err != nil {
+				return res, err
+			}
+			d := jx.DecodeBytes(buf)
+
+			var response Error
+			if err := func() error {
+				if err := response.Decode(d); err != nil {
+					return err
+				}
+				if err := d.Skip(); err != io.EOF {
+					return errors.New("unexpected trailing data")
+				}
+				return nil
+			}(); err != nil {
+				err = &ogenerrors.DecodeBodyError{
+					ContentType: ct,
+					Body:        buf,
+					Err:         err,
+				}
+				return res, err
+			}
+			return &ErrorStatusCode{
+				StatusCode: resp.StatusCode,
+				Response:   response,
+			}, nil
+		default:
+			return res, validate.InvalidContentType(ct)
+		}
+	}()
+	if err != nil {
+		return res, errors.Wrapf(err, "default (code %d)", resp.StatusCode)
+	}
+	return res, errors.Wrap(defRes, "error")
+}
+
+func decodeActionSubmissionValidatedResponse(resp *http.Response) (res *ActionSubmissionValidatedNoContent, _ error) {
+	switch resp.StatusCode {
+	case 204:
+		// Code 204.
+		return &ActionSubmissionValidatedNoContent{}, nil
+	}
+	// Convenient error response.
+	defRes, err := func() (res *ErrorStatusCode, err error) {
+		ct, _, err := mime.ParseMediaType(resp.Header.Get("Content-Type"))
+		if err != nil {
+			return res, errors.Wrap(err, "parse media type")
+		}
+		switch {
+		case ct == "application/json":
+			buf, err := io.ReadAll(resp.Body)
+			if err != nil {
+				return res, err
+			}
+			d := jx.DecodeBytes(buf)
+
+			var response Error
+			if err := func() error {
+				if err := response.Decode(d); err != nil {
+					return err
+				}
+				if err := d.Skip(); err != io.EOF {
+					return errors.New("unexpected trailing data")
+				}
+				return nil
+			}(); err != nil {
+				err = &ogenerrors.DecodeBodyError{
+					ContentType: ct,
+					Body:        buf,
+					Err:         err,
+				}
+				return res, err
+			}
+			return &ErrorStatusCode{
+				StatusCode: resp.StatusCode,
+				Response:   response,
+			}, nil
+		default:
+			return res, validate.InvalidContentType(ct)
+		}
+	}()
+	if err != nil {
+		return res, errors.Wrapf(err, "default (code %d)", resp.StatusCode)
+	}
+	return res, errors.Wrap(defRes, "error")
+}
+
+func decodeCreateScriptResponse(resp *http.Response) (res *ID, _ error) {
+	switch resp.StatusCode {
+	case 201:
+		// Code 201.
+		ct, _, err := mime.ParseMediaType(resp.Header.Get("Content-Type"))
+		if err != nil {
+			return res, errors.Wrap(err, "parse media type")
+		}
+		switch {
+		case ct == "application/json":
+			buf, err := io.ReadAll(resp.Body)
+			if err != nil {
+				return res, err
+			}
+			d := jx.DecodeBytes(buf)
+
+			var response ID
+			if err := func() error {
+				if err := response.Decode(d); err != nil {
+					return err
+				}
+				if err := d.Skip(); err != io.EOF {
+					return errors.New("unexpected trailing data")
+				}
+				return nil
+			}(); err != nil {
+				err = &ogenerrors.DecodeBodyError{
+					ContentType: ct,
+					Body:        buf,
+					Err:         err,
+				}
+				return res, err
+			}
+			return &response, nil
+		default:
+			return res, validate.InvalidContentType(ct)
+		}
+	}
+	// Convenient error response.
+	defRes, err := func() (res *ErrorStatusCode, err error) {
+		ct, _, err := mime.ParseMediaType(resp.Header.Get("Content-Type"))
+		if err != nil {
+			return res, errors.Wrap(err, "parse media type")
+		}
+		switch {
+		case ct == "application/json":
+			buf, err := io.ReadAll(resp.Body)
+			if err != nil {
+				return res, err
+			}
+			d := jx.DecodeBytes(buf)
+
+			var response Error
+			if err := func() error {
+				if err := response.Decode(d); err != nil {
+					return err
+				}
+				if err := d.Skip(); err != io.EOF {
+					return errors.New("unexpected trailing data")
+				}
+				return nil
+			}(); err != nil {
+				err = &ogenerrors.DecodeBodyError{
+					ContentType: ct,
+					Body:        buf,
+					Err:         err,
+				}
+				return res, err
+			}
+			return &ErrorStatusCode{
+				StatusCode: resp.StatusCode,
+				Response:   response,
+			}, nil
+		default:
+			return res, validate.InvalidContentType(ct)
+		}
+	}()
+	if err != nil {
+		return res, errors.Wrapf(err, "default (code %d)", resp.StatusCode)
+	}
+	return res, errors.Wrap(defRes, "error")
+}
+
+func decodeCreateScriptPolicyResponse(resp *http.Response) (res *ID, _ error) {
+	switch resp.StatusCode {
+	case 201:
+		// Code 201.
+		ct, _, err := mime.ParseMediaType(resp.Header.Get("Content-Type"))
+		if err != nil {
+			return res, errors.Wrap(err, "parse media type")
+		}
+		switch {
+		case ct == "application/json":
+			buf, err := io.ReadAll(resp.Body)
+			if err != nil {
+				return res, err
+			}
+			d := jx.DecodeBytes(buf)
+
+			var response ID
+			if err := func() error {
+				if err := response.Decode(d); err != nil {
+					return err
+				}
+				if err := d.Skip(); err != io.EOF {
+					return errors.New("unexpected trailing data")
+				}
+				return nil
+			}(); err != nil {
+				err = &ogenerrors.DecodeBodyError{
+					ContentType: ct,
+					Body:        buf,
+					Err:         err,
+				}
+				return res, err
+			}
+			return &response, nil
+		default:
+			return res, validate.InvalidContentType(ct)
+		}
+	}
+	// Convenient error response.
+	defRes, err := func() (res *ErrorStatusCode, err error) {
+		ct, _, err := mime.ParseMediaType(resp.Header.Get("Content-Type"))
+		if err != nil {
+			return res, errors.Wrap(err, "parse media type")
+		}
+		switch {
+		case ct == "application/json":
+			buf, err := io.ReadAll(resp.Body)
+			if err != nil {
+				return res, err
+			}
+			d := jx.DecodeBytes(buf)
+
+			var response Error
+			if err := func() error {
+				if err := response.Decode(d); err != nil {
+					return err
+				}
+				if err := d.Skip(); err != io.EOF {
+					return errors.New("unexpected trailing data")
+				}
+				return nil
+			}(); err != nil {
+				err = &ogenerrors.DecodeBodyError{
+					ContentType: ct,
+					Body:        buf,
+					Err:         err,
+				}
+				return res, err
+			}
+			return &ErrorStatusCode{
+				StatusCode: resp.StatusCode,
+				Response:   response,
+			}, nil
+		default:
+			return res, validate.InvalidContentType(ct)
+		}
+	}()
+	if err != nil {
+		return res, errors.Wrapf(err, "default (code %d)", resp.StatusCode)
+	}
+	return res, errors.Wrap(defRes, "error")
+}
+
+func decodeGetScriptResponse(resp *http.Response) (res *Script, _ error) {
+	switch resp.StatusCode {
+	case 200:
+		// Code 200.
+		ct, _, err := mime.ParseMediaType(resp.Header.Get("Content-Type"))
+		if err != nil {
+			return res, errors.Wrap(err, "parse media type")
+		}
+		switch {
+		case ct == "application/json":
+			buf, err := io.ReadAll(resp.Body)
+			if err != nil {
+				return res, err
+			}
+			d := jx.DecodeBytes(buf)
+
+			var response Script
+			if err := func() error {
+				if err := response.Decode(d); err != nil {
+					return err
+				}
+				if err := d.Skip(); err != io.EOF {
+					return errors.New("unexpected trailing data")
+				}
+				return nil
+			}(); err != nil {
+				err = &ogenerrors.DecodeBodyError{
+					ContentType: ct,
+					Body:        buf,
+					Err:         err,
+				}
+				return res, err
+			}
+			// Validate response.
+			if err := func() error {
+				if err := response.Validate(); err != nil {
+					return err
+				}
+				return nil
+			}(); err != nil {
+				return res, errors.Wrap(err, "validate")
+			}
+			return &response, nil
+		default:
+			return res, validate.InvalidContentType(ct)
+		}
+	}
+	// Convenient error response.
+	defRes, err := func() (res *ErrorStatusCode, err error) {
+		ct, _, err := mime.ParseMediaType(resp.Header.Get("Content-Type"))
+		if err != nil {
+			return res, errors.Wrap(err, "parse media type")
+		}
+		switch {
+		case ct == "application/json":
+			buf, err := io.ReadAll(resp.Body)
+			if err != nil {
+				return res, err
+			}
+			d := jx.DecodeBytes(buf)
+
+			var response Error
+			if err := func() error {
+				if err := response.Decode(d); err != nil {
+					return err
+				}
+				if err := d.Skip(); err != io.EOF {
+					return errors.New("unexpected trailing data")
+				}
+				return nil
+			}(); err != nil {
+				err = &ogenerrors.DecodeBodyError{
+					ContentType: ct,
+					Body:        buf,
+					Err:         err,
+				}
+				return res, err
+			}
+			return &ErrorStatusCode{
+				StatusCode: resp.StatusCode,
+				Response:   response,
+			}, nil
+		default:
+			return res, validate.InvalidContentType(ct)
+		}
+	}()
+	if err != nil {
+		return res, errors.Wrapf(err, "default (code %d)", resp.StatusCode)
+	}
+	return res, errors.Wrap(defRes, "error")
+}
+
+func decodeListScriptPolicyResponse(resp *http.Response) (res []ScriptPolicy, _ error) {
+	switch resp.StatusCode {
+	case 200:
+		// Code 200.
+		ct, _, err := mime.ParseMediaType(resp.Header.Get("Content-Type"))
+		if err != nil {
+			return res, errors.Wrap(err, "parse media type")
+		}
+		switch {
+		case ct == "application/json":
+			buf, err := io.ReadAll(resp.Body)
+			if err != nil {
+				return res, err
+			}
+			d := jx.DecodeBytes(buf)
+
+			var response []ScriptPolicy
+			if err := func() error {
+				response = make([]ScriptPolicy, 0)
+				if err := d.Arr(func(d *jx.Decoder) error {
+					var elem ScriptPolicy
+					if err := elem.Decode(d); err != nil {
+						return err
+					}
+					response = append(response, elem)
+					return nil
+				}); err != nil {
+					return err
+				}
+				if err := d.Skip(); err != io.EOF {
+					return errors.New("unexpected trailing data")
+				}
+				return nil
+			}(); err != nil {
+				err = &ogenerrors.DecodeBodyError{
+					ContentType: ct,
+					Body:        buf,
+					Err:         err,
+				}
+				return res, err
+			}
+			// Validate response.
+			if err := func() error {
+				if response == nil {
+					return errors.New("nil is invalid value")
+				}
+				var failures []validate.FieldError
+				for i, elem := range response {
+					if err := func() error {
+						if err := elem.Validate(); err != nil {
+							return err
+						}
+						return nil
+					}(); err != nil {
+						failures = append(failures, validate.FieldError{
+							Name:  fmt.Sprintf("[%d]", i),
+							Error: err,
+						})
+					}
+				}
+				if len(failures) > 0 {
+					return &validate.Error{Fields: failures}
+				}
+				return nil
+			}(); err != nil {
+				return res, errors.Wrap(err, "validate")
+			}
+			return response, nil
+		default:
+			return res, validate.InvalidContentType(ct)
+		}
+	}
+	// Convenient error response.
+	defRes, err := func() (res *ErrorStatusCode, err error) {
+		ct, _, err := mime.ParseMediaType(resp.Header.Get("Content-Type"))
+		if err != nil {
+			return res, errors.Wrap(err, "parse media type")
+		}
+		switch {
+		case ct == "application/json":
+			buf, err := io.ReadAll(resp.Body)
+			if err != nil {
+				return res, err
+			}
+			d := jx.DecodeBytes(buf)
+
+			var response Error
+			if err := func() error {
+				if err := response.Decode(d); err != nil {
+					return err
+				}
+				if err := d.Skip(); err != io.EOF {
+					return errors.New("unexpected trailing data")
+				}
+				return nil
+			}(); err != nil {
+				err = &ogenerrors.DecodeBodyError{
+					ContentType: ct,
+					Body:        buf,
+					Err:         err,
+				}
+				return res, err
+			}
+			return &ErrorStatusCode{
+				StatusCode: resp.StatusCode,
+				Response:   response,
+			}, nil
+		default:
+			return res, validate.InvalidContentType(ct)
+		}
+	}()
+	if err != nil {
+		return res, errors.Wrapf(err, "default (code %d)", resp.StatusCode)
+	}
+	return res, errors.Wrap(defRes, "error")
+}
+
+func decodeListScriptsResponse(resp *http.Response) (res []Script, _ error) {
+	switch resp.StatusCode {
+	case 200:
+		// Code 200.
+		ct, _, err := mime.ParseMediaType(resp.Header.Get("Content-Type"))
+		if err != nil {
+			return res, errors.Wrap(err, "parse media type")
+		}
+		switch {
+		case ct == "application/json":
+			buf, err := io.ReadAll(resp.Body)
+			if err != nil {
+				return res, err
+			}
+			d := jx.DecodeBytes(buf)
+
+			var response []Script
+			if err := func() error {
+				response = make([]Script, 0)
+				if err := d.Arr(func(d *jx.Decoder) error {
+					var elem Script
+					if err := elem.Decode(d); err != nil {
+						return err
+					}
+					response = append(response, elem)
+					return nil
+				}); err != nil {
+					return err
+				}
+				if err := d.Skip(); err != io.EOF {
+					return errors.New("unexpected trailing data")
+				}
+				return nil
+			}(); err != nil {
+				err = &ogenerrors.DecodeBodyError{
+					ContentType: ct,
+					Body:        buf,
+					Err:         err,
+				}
+				return res, err
+			}
+			// Validate response.
+			if err := func() error {
+				if response == nil {
+					return errors.New("nil is invalid value")
+				}
+				var failures []validate.FieldError
+				for i, elem := range response {
+					if err := func() error {
+						if err := elem.Validate(); err != nil {
+							return err
+						}
+						return nil
+					}(); err != nil {
+						failures = append(failures, validate.FieldError{
+							Name:  fmt.Sprintf("[%d]", i),
+							Error: err,
+						})
+					}
+				}
+				if len(failures) > 0 {
+					return &validate.Error{Fields: failures}
+				}
+				return nil
+			}(); err != nil {
+				return res, errors.Wrap(err, "validate")
+			}
+			return response, nil
+		default:
+			return res, validate.InvalidContentType(ct)
+		}
+	}
+	// Convenient error response.
+	defRes, err := func() (res *ErrorStatusCode, err error) {
+		ct, _, err := mime.ParseMediaType(resp.Header.Get("Content-Type"))
+		if err != nil {
+			return res, errors.Wrap(err, "parse media type")
+		}
+		switch {
+		case ct == "application/json":
+			buf, err := io.ReadAll(resp.Body)
+			if err != nil {
+				return res, err
+			}
+			d := jx.DecodeBytes(buf)
+
+			var response Error
+			if err := func() error {
+				if err := response.Decode(d); err != nil {
+					return err
+				}
+				if err := d.Skip(); err != io.EOF {
+					return errors.New("unexpected trailing data")
+				}
+				return nil
+			}(); err != nil {
+				err = &ogenerrors.DecodeBodyError{
+					ContentType: ct,
+					Body:        buf,
+					Err:         err,
+				}
+				return res, err
+			}
+			return &ErrorStatusCode{
+				StatusCode: resp.StatusCode,
+				Response:   response,
+			}, nil
+		default:
+			return res, validate.InvalidContentType(ct)
+		}
+	}()
+	if err != nil {
+		return res, errors.Wrapf(err, "default (code %d)", resp.StatusCode)
+	}
+	return res, errors.Wrap(defRes, "error")
+}
+
+func decodeUpdateSubmissionValidatedModelResponse(resp *http.Response) (res *UpdateSubmissionValidatedModelNoContent, _ error) {
+	switch resp.StatusCode {
+	case 204:
+		// Code 204.
+		return &UpdateSubmissionValidatedModelNoContent{}, nil
+	}
+	// Convenient error response.
+	defRes, err := func() (res *ErrorStatusCode, err error) {
+		ct, _, err := mime.ParseMediaType(resp.Header.Get("Content-Type"))
+		if err != nil {
+			return res, errors.Wrap(err, "parse media type")
+		}
+		switch {
+		case ct == "application/json":
+			buf, err := io.ReadAll(resp.Body)
+			if err != nil {
+				return res, err
+			}
+			d := jx.DecodeBytes(buf)
+
+			var response Error
+			if err := func() error {
+				if err := response.Decode(d); err != nil {
+					return err
+				}
+				if err := d.Skip(); err != io.EOF {
+					return errors.New("unexpected trailing data")
+				}
+				return nil
+			}(); err != nil {
+				err = &ogenerrors.DecodeBodyError{
+					ContentType: ct,
+					Body:        buf,
+					Err:         err,
+				}
+				return res, err
+			}
+			return &ErrorStatusCode{
+				StatusCode: resp.StatusCode,
+				Response:   response,
+			}, nil
+		default:
+			return res, validate.InvalidContentType(ct)
+		}
+	}()
+	if err != nil {
+		return res, errors.Wrapf(err, "default (code %d)", resp.StatusCode)
+	}
+	return res, errors.Wrap(defRes, "error")
+}
--- a/pkg/internal/oas_response_encoders_gen.go
+++ b/pkg/internal/oas_response_encoders_gen.go
@@ -0,0 +1,147 @@
+// Code generated by ogen, DO NOT EDIT.
+
+package api
+
+import (
+	"net/http"
+
+	"github.com/go-faster/errors"
+	"github.com/go-faster/jx"
+	"go.opentelemetry.io/otel/codes"
+	"go.opentelemetry.io/otel/trace"
+
+	ht "github.com/ogen-go/ogen/http"
+)
+
+func encodeActionSubmissionAcceptedResponse(response *ActionSubmissionAcceptedNoContent, w http.ResponseWriter, span trace.Span) error {
+	w.WriteHeader(204)
+	span.SetStatus(codes.Ok, http.StatusText(204))
+
+	return nil
+}
+
+func encodeActionSubmissionUploadedResponse(response *ActionSubmissionUploadedNoContent, w http.ResponseWriter, span trace.Span) error {
+	w.WriteHeader(204)
+	span.SetStatus(codes.Ok, http.StatusText(204))
+
+	return nil
+}
+
+func encodeActionSubmissionValidatedResponse(response *ActionSubmissionValidatedNoContent, w http.ResponseWriter, span trace.Span) error {
+	w.WriteHeader(204)
+	span.SetStatus(codes.Ok, http.StatusText(204))
+
+	return nil
+}
+
+func encodeCreateScriptResponse(response *ID, w http.ResponseWriter, span trace.Span) error {
+	w.Header().Set("Content-Type", "application/json; charset=utf-8")
+	w.WriteHeader(201)
+	span.SetStatus(codes.Ok, http.StatusText(201))
+
+	e := new(jx.Encoder)
+	response.Encode(e)
+	if _, err := e.WriteTo(w); err != nil {
+		return errors.Wrap(err, "write")
+	}
+
+	return nil
+}
+
+func encodeCreateScriptPolicyResponse(response *ID, w http.ResponseWriter, span trace.Span) error {
+	w.Header().Set("Content-Type", "application/json; charset=utf-8")
+	w.WriteHeader(201)
+	span.SetStatus(codes.Ok, http.StatusText(201))
+
+	e := new(jx.Encoder)
+	response.Encode(e)
+	if _, err := e.WriteTo(w); err != nil {
+		return errors.Wrap(err, "write")
+	}
+
+	return nil
+}
+
+func encodeGetScriptResponse(response *Script, w http.ResponseWriter, span trace.Span) error {
+	w.Header().Set("Content-Type", "application/json; charset=utf-8")
+	w.WriteHeader(200)
+	span.SetStatus(codes.Ok, http.StatusText(200))
+
+	e := new(jx.Encoder)
+	response.Encode(e)
+	if _, err := e.WriteTo(w); err != nil {
+		return errors.Wrap(err, "write")
+	}
+
+	return nil
+}
+
+func encodeListScriptPolicyResponse(response []ScriptPolicy, w http.ResponseWriter, span trace.Span) error {
+	w.Header().Set("Content-Type", "application/json; charset=utf-8")
+	w.WriteHeader(200)
+	span.SetStatus(codes.Ok, http.StatusText(200))
+
+	e := new(jx.Encoder)
+	e.ArrStart()
+	for _, elem := range response {
+		elem.Encode(e)
+	}
+	e.ArrEnd()
+	if _, err := e.WriteTo(w); err != nil {
+		return errors.Wrap(err, "write")
+	}
+
+	return nil
+}
+
+func encodeListScriptsResponse(response []Script, w http.ResponseWriter, span trace.Span) error {
+	w.Header().Set("Content-Type", "application/json; charset=utf-8")
+	w.WriteHeader(200)
+	span.SetStatus(codes.Ok, http.StatusText(200))
+
+	e := new(jx.Encoder)
+	e.ArrStart()
+	for _, elem := range response {
+		elem.Encode(e)
+	}
+	e.ArrEnd()
+	if _, err := e.WriteTo(w); err != nil {
+		return errors.Wrap(err, "write")
+	}
+
+	return nil
+}
+
+func encodeUpdateSubmissionValidatedModelResponse(response *UpdateSubmissionValidatedModelNoContent, w http.ResponseWriter, span trace.Span) error {
+	w.WriteHeader(204)
+	span.SetStatus(codes.Ok, http.StatusText(204))
+
+	return nil
+}
+
+func encodeErrorResponse(response *ErrorStatusCode, w http.ResponseWriter, span trace.Span) error {
+	w.Header().Set("Content-Type", "application/json; charset=utf-8")
+	code := response.StatusCode
+	if code == 0 {
+		// Set default status code.
+		code = http.StatusOK
+	}
+	w.WriteHeader(code)
+	if st := http.StatusText(code); code >= http.StatusBadRequest {
+		span.SetStatus(codes.Error, st)
+	} else {
+		span.SetStatus(codes.Ok, st)
+	}
+
+	e := new(jx.Encoder)
+	response.Response.Encode(e)
+	if _, err := e.WriteTo(w); err != nil {
+		return errors.Wrap(err, "write")
+	}
+
+	if code >= http.StatusInternalServerError {
+		return errors.Wrapf(ht.ErrInternalServerErrorResponse, "code: %d, message: %s", code, http.StatusText(code))
+	}
+	return nil
+
+}
--- a/pkg/internal/oas_router_gen.go
+++ b/pkg/internal/oas_router_gen.go
@@ -0,0 +1,651 @@
+// Code generated by ogen, DO NOT EDIT.
+
+package api
+
+import (
+	"net/http"
+	"net/url"
+	"strings"
+
+	"github.com/ogen-go/ogen/uri"
+)
+
+func (s *Server) cutPrefix(path string) (string, bool) {
+	prefix := s.cfg.Prefix
+	if prefix == "" {
+		return path, true
+	}
+	if !strings.HasPrefix(path, prefix) {
+		// Prefix doesn't match.
+		return "", false
+	}
+	// Cut prefix from the path.
+	return strings.TrimPrefix(path, prefix), true
+}
+
+// ServeHTTP serves http request as defined by OpenAPI v3 specification,
+// calling handler that matches the path or returning not found error.
+func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	elem := r.URL.Path
+	elemIsEscaped := false
+	if rawPath := r.URL.RawPath; rawPath != "" {
+		if normalized, ok := uri.NormalizeEscapedPath(rawPath); ok {
+			elem = normalized
+			elemIsEscaped = strings.ContainsRune(elem, '%')
+		}
+	}
+
+	elem, ok := s.cutPrefix(elem)
+	if !ok || len(elem) == 0 {
+		s.notFound(w, r)
+		return
+	}
+	args := [1]string{}
+
+	// Static code generated router with unwrapped path search.
+	switch {
+	default:
+		if len(elem) == 0 {
+			break
+		}
+		switch elem[0] {
+		case '/': // Prefix: "/s"
+
+			if l := len("/s"); len(elem) >= l && elem[0:l] == "/s" {
+				elem = elem[l:]
+			} else {
+				break
+			}
+
+			if len(elem) == 0 {
+				break
+			}
+			switch elem[0] {
+			case 'c': // Prefix: "cript"
+
+				if l := len("cript"); len(elem) >= l && elem[0:l] == "cript" {
+					elem = elem[l:]
+				} else {
+					break
+				}
+
+				if len(elem) == 0 {
+					break
+				}
+				switch elem[0] {
+				case '-': // Prefix: "-policy"
+
+					if l := len("-policy"); len(elem) >= l && elem[0:l] == "-policy" {
+						elem = elem[l:]
+					} else {
+						break
+					}
+
+					if len(elem) == 0 {
+						// Leaf node.
+						switch r.Method {
+						case "GET":
+							s.handleListScriptPolicyRequest([0]string{}, elemIsEscaped, w, r)
+						case "POST":
+							s.handleCreateScriptPolicyRequest([0]string{}, elemIsEscaped, w, r)
+						default:
+							s.notAllowed(w, r, "GET,POST")
+						}
+
+						return
+					}
+
+				case 's': // Prefix: "s"
+
+					if l := len("s"); len(elem) >= l && elem[0:l] == "s" {
+						elem = elem[l:]
+					} else {
+						break
+					}
+
+					if len(elem) == 0 {
+						switch r.Method {
+						case "GET":
+							s.handleListScriptsRequest([0]string{}, elemIsEscaped, w, r)
+						case "POST":
+							s.handleCreateScriptRequest([0]string{}, elemIsEscaped, w, r)
+						default:
+							s.notAllowed(w, r, "GET,POST")
+						}
+
+						return
+					}
+					switch elem[0] {
+					case '/': // Prefix: "/"
+
+						if l := len("/"); len(elem) >= l && elem[0:l] == "/" {
+							elem = elem[l:]
+						} else {
+							break
+						}
+
+						// Param: "ScriptID"
+						// Leaf parameter, slashes are prohibited
+						idx := strings.IndexByte(elem, '/')
+						if idx >= 0 {
+							break
+						}
+						args[0] = elem
+						elem = ""
+
+						if len(elem) == 0 {
+							// Leaf node.
+							switch r.Method {
+							case "GET":
+								s.handleGetScriptRequest([1]string{
+									args[0],
+								}, elemIsEscaped, w, r)
+							default:
+								s.notAllowed(w, r, "GET")
+							}
+
+							return
+						}
+
+					}
+
+				}
+
+			case 'u': // Prefix: "ubmissions/"
+
+				if l := len("ubmissions/"); len(elem) >= l && elem[0:l] == "ubmissions/" {
+					elem = elem[l:]
+				} else {
+					break
+				}
+
+				// Param: "SubmissionID"
+				// Match until "/"
+				idx := strings.IndexByte(elem, '/')
+				if idx < 0 {
+					idx = len(elem)
+				}
+				args[0] = elem[:idx]
+				elem = elem[idx:]
+
+				if len(elem) == 0 {
+					break
+				}
+				switch elem[0] {
+				case '/': // Prefix: "/"
+
+					if l := len("/"); len(elem) >= l && elem[0:l] == "/" {
+						elem = elem[l:]
+					} else {
+						break
+					}
+
+					if len(elem) == 0 {
+						break
+					}
+					switch elem[0] {
+					case 's': // Prefix: "status/validator-"
+
+						if l := len("status/validator-"); len(elem) >= l && elem[0:l] == "status/validator-" {
+							elem = elem[l:]
+						} else {
+							break
+						}
+
+						if len(elem) == 0 {
+							break
+						}
+						switch elem[0] {
+						case 'f': // Prefix: "failed"
+
+							if l := len("failed"); len(elem) >= l && elem[0:l] == "failed" {
+								elem = elem[l:]
+							} else {
+								break
+							}
+
+							if len(elem) == 0 {
+								// Leaf node.
+								switch r.Method {
+								case "POST":
+									s.handleActionSubmissionAcceptedRequest([1]string{
+										args[0],
+									}, elemIsEscaped, w, r)
+								default:
+									s.notAllowed(w, r, "POST")
+								}
+
+								return
+							}
+
+						case 'u': // Prefix: "uploaded"
+
+							if l := len("uploaded"); len(elem) >= l && elem[0:l] == "uploaded" {
+								elem = elem[l:]
+							} else {
+								break
+							}
+
+							if len(elem) == 0 {
+								// Leaf node.
+								switch r.Method {
+								case "POST":
+									s.handleActionSubmissionUploadedRequest([1]string{
+										args[0],
+									}, elemIsEscaped, w, r)
+								default:
+									s.notAllowed(w, r, "POST")
+								}
+
+								return
+							}
+
+						case 'v': // Prefix: "validated"
+
+							if l := len("validated"); len(elem) >= l && elem[0:l] == "validated" {
+								elem = elem[l:]
+							} else {
+								break
+							}
+
+							if len(elem) == 0 {
+								// Leaf node.
+								switch r.Method {
+								case "POST":
+									s.handleActionSubmissionValidatedRequest([1]string{
+										args[0],
+									}, elemIsEscaped, w, r)
+								default:
+									s.notAllowed(w, r, "POST")
+								}
+
+								return
+							}
+
+						}
+
+					case 'v': // Prefix: "validated-model"
+
+						if l := len("validated-model"); len(elem) >= l && elem[0:l] == "validated-model" {
+							elem = elem[l:]
+						} else {
+							break
+						}
+
+						if len(elem) == 0 {
+							// Leaf node.
+							switch r.Method {
+							case "POST":
+								s.handleUpdateSubmissionValidatedModelRequest([1]string{
+									args[0],
+								}, elemIsEscaped, w, r)
+							default:
+								s.notAllowed(w, r, "POST")
+							}
+
+							return
+						}
+
+					}
+
+				}
+
+			}
+
+		}
+	}
+	s.notFound(w, r)
+}
+
+// Route is route object.
+type Route struct {
+	name        string
+	summary     string
+	operationID string
+	pathPattern string
+	count       int
+	args        [1]string
+}
+
+// Name returns ogen operation name.
+//
+// It is guaranteed to be unique and not empty.
+func (r Route) Name() string {
+	return r.name
+}
+
+// Summary returns OpenAPI summary.
+func (r Route) Summary() string {
+	return r.summary
+}
+
+// OperationID returns OpenAPI operationId.
+func (r Route) OperationID() string {
+	return r.operationID
+}
+
+// PathPattern returns OpenAPI path.
+func (r Route) PathPattern() string {
+	return r.pathPattern
+}
+
+// Args returns parsed arguments.
+func (r Route) Args() []string {
+	return r.args[:r.count]
+}
+
+// FindRoute finds Route for given method and path.
+//
+// Note: this method does not unescape path or handle reserved characters in path properly. Use FindPath instead.
+func (s *Server) FindRoute(method, path string) (Route, bool) {
+	return s.FindPath(method, &url.URL{Path: path})
+}
+
+// FindPath finds Route for given method and URL.
+func (s *Server) FindPath(method string, u *url.URL) (r Route, _ bool) {
+	var (
+		elem = u.Path
+		args = r.args
+	)
+	if rawPath := u.RawPath; rawPath != "" {
+		if normalized, ok := uri.NormalizeEscapedPath(rawPath); ok {
+			elem = normalized
+		}
+		defer func() {
+			for i, arg := range r.args[:r.count] {
+				if unescaped, err := url.PathUnescape(arg); err == nil {
+					r.args[i] = unescaped
+				}
+			}
+		}()
+	}
+
+	elem, ok := s.cutPrefix(elem)
+	if !ok {
+		return r, false
+	}
+
+	// Static code generated router with unwrapped path search.
+	switch {
+	default:
+		if len(elem) == 0 {
+			break
+		}
+		switch elem[0] {
+		case '/': // Prefix: "/s"
+
+			if l := len("/s"); len(elem) >= l && elem[0:l] == "/s" {
+				elem = elem[l:]
+			} else {
+				break
+			}
+
+			if len(elem) == 0 {
+				break
+			}
+			switch elem[0] {
+			case 'c': // Prefix: "cript"
+
+				if l := len("cript"); len(elem) >= l && elem[0:l] == "cript" {
+					elem = elem[l:]
+				} else {
+					break
+				}
+
+				if len(elem) == 0 {
+					break
+				}
+				switch elem[0] {
+				case '-': // Prefix: "-policy"
+
+					if l := len("-policy"); len(elem) >= l && elem[0:l] == "-policy" {
+						elem = elem[l:]
+					} else {
+						break
+					}
+
+					if len(elem) == 0 {
+						// Leaf node.
+						switch method {
+						case "GET":
+							r.name = ListScriptPolicyOperation
+							r.summary = "Get list of script policies"
+							r.operationID = "listScriptPolicy"
+							r.pathPattern = "/script-policy"
+							r.args = args
+							r.count = 0
+							return r, true
+						case "POST":
+							r.name = CreateScriptPolicyOperation
+							r.summary = "Create a new script policy"
+							r.operationID = "createScriptPolicy"
+							r.pathPattern = "/script-policy"
+							r.args = args
+							r.count = 0
+							return r, true
+						default:
+							return
+						}
+					}
+
+				case 's': // Prefix: "s"
+
+					if l := len("s"); len(elem) >= l && elem[0:l] == "s" {
+						elem = elem[l:]
+					} else {
+						break
+					}
+
+					if len(elem) == 0 {
+						switch method {
+						case "GET":
+							r.name = ListScriptsOperation
+							r.summary = "Get list of scripts"
+							r.operationID = "listScripts"
+							r.pathPattern = "/scripts"
+							r.args = args
+							r.count = 0
+							return r, true
+						case "POST":
+							r.name = CreateScriptOperation
+							r.summary = "Create a new script"
+							r.operationID = "createScript"
+							r.pathPattern = "/scripts"
+							r.args = args
+							r.count = 0
+							return r, true
+						default:
+							return
+						}
+					}
+					switch elem[0] {
+					case '/': // Prefix: "/"
+
+						if l := len("/"); len(elem) >= l && elem[0:l] == "/" {
+							elem = elem[l:]
+						} else {
+							break
+						}
+
+						// Param: "ScriptID"
+						// Leaf parameter, slashes are prohibited
+						idx := strings.IndexByte(elem, '/')
+						if idx >= 0 {
+							break
+						}
+						args[0] = elem
+						elem = ""
+
+						if len(elem) == 0 {
+							// Leaf node.
+							switch method {
+							case "GET":
+								r.name = GetScriptOperation
+								r.summary = "Get the specified script by ID"
+								r.operationID = "getScript"
+								r.pathPattern = "/scripts/{ScriptID}"
+								r.args = args
+								r.count = 1
+								return r, true
+							default:
+								return
+							}
+						}
+
+					}
+
+				}
+
+			case 'u': // Prefix: "ubmissions/"
+
+				if l := len("ubmissions/"); len(elem) >= l && elem[0:l] == "ubmissions/" {
+					elem = elem[l:]
+				} else {
+					break
+				}
+
+				// Param: "SubmissionID"
+				// Match until "/"
+				idx := strings.IndexByte(elem, '/')
+				if idx < 0 {
+					idx = len(elem)
+				}
+				args[0] = elem[:idx]
+				elem = elem[idx:]
+
+				if len(elem) == 0 {
+					break
+				}
+				switch elem[0] {
+				case '/': // Prefix: "/"
+
+					if l := len("/"); len(elem) >= l && elem[0:l] == "/" {
+						elem = elem[l:]
+					} else {
+						break
+					}
+
+					if len(elem) == 0 {
+						break
+					}
+					switch elem[0] {
+					case 's': // Prefix: "status/validator-"
+
+						if l := len("status/validator-"); len(elem) >= l && elem[0:l] == "status/validator-" {
+							elem = elem[l:]
+						} else {
+							break
+						}
+
+						if len(elem) == 0 {
+							break
+						}
+						switch elem[0] {
+						case 'f': // Prefix: "failed"
+
+							if l := len("failed"); len(elem) >= l && elem[0:l] == "failed" {
+								elem = elem[l:]
+							} else {
+								break
+							}
+
+							if len(elem) == 0 {
+								// Leaf node.
+								switch method {
+								case "POST":
+									r.name = ActionSubmissionAcceptedOperation
+									r.summary = "(Internal endpoint) Role Validator changes status from Validating -> Accepted"
+									r.operationID = "actionSubmissionAccepted"
+									r.pathPattern = "/submissions/{SubmissionID}/status/validator-failed"
+									r.args = args
+									r.count = 1
+									return r, true
+								default:
+									return
+								}
+							}
+
+						case 'u': // Prefix: "uploaded"
+
+							if l := len("uploaded"); len(elem) >= l && elem[0:l] == "uploaded" {
+								elem = elem[l:]
+							} else {
+								break
+							}
+
+							if len(elem) == 0 {
+								// Leaf node.
+								switch method {
+								case "POST":
+									r.name = ActionSubmissionUploadedOperation
+									r.summary = "(Internal endpoint) Role Validator changes status from Uploading -> Uploaded"
+									r.operationID = "actionSubmissionUploaded"
+									r.pathPattern = "/submissions/{SubmissionID}/status/validator-uploaded"
+									r.args = args
+									r.count = 1
+									return r, true
+								default:
+									return
+								}
+							}
+
+						case 'v': // Prefix: "validated"
+
+							if l := len("validated"); len(elem) >= l && elem[0:l] == "validated" {
+								elem = elem[l:]
+							} else {
+								break
+							}
+
+							if len(elem) == 0 {
+								// Leaf node.
+								switch method {
+								case "POST":
+									r.name = ActionSubmissionValidatedOperation
+									r.summary = "(Internal endpoint) Role Validator changes status from Validating -> Validated"
+									r.operationID = "actionSubmissionValidated"
+									r.pathPattern = "/submissions/{SubmissionID}/status/validator-validated"
+									r.args = args
+									r.count = 1
+									return r, true
+								default:
+									return
+								}
+							}
+
+						}
+
+					case 'v': // Prefix: "validated-model"
+
+						if l := len("validated-model"); len(elem) >= l && elem[0:l] == "validated-model" {
+							elem = elem[l:]
+						} else {
+							break
+						}
+
+						if len(elem) == 0 {
+							// Leaf node.
+							switch method {
+							case "POST":
+								r.name = UpdateSubmissionValidatedModelOperation
+								r.summary = "Update validated model"
+								r.operationID = "updateSubmissionValidatedModel"
+								r.pathPattern = "/submissions/{SubmissionID}/validated-model"
+								r.args = args
+								r.count = 1
+								return r, true
+							default:
+								return
+							}
+						}
+
+					}
+
+				}
+
+			}
+
+		}
+	}
+	return r, false
+}
--- a/pkg/internal/oas_schemas_gen.go
+++ b/pkg/internal/oas_schemas_gen.go
@@ -0,0 +1,432 @@
+// Code generated by ogen, DO NOT EDIT.
+
+package api
+
+import (
+	"fmt"
+)
+
+func (s *ErrorStatusCode) Error() string {
+	return fmt.Sprintf("code %d: %+v", s.StatusCode, s.Response)
+}
+
+// ActionSubmissionAcceptedNoContent is response for ActionSubmissionAccepted operation.
+type ActionSubmissionAcceptedNoContent struct{}
+
+// ActionSubmissionUploadedNoContent is response for ActionSubmissionUploaded operation.
+type ActionSubmissionUploadedNoContent struct{}
+
+// ActionSubmissionValidatedNoContent is response for ActionSubmissionValidated operation.
+type ActionSubmissionValidatedNoContent struct{}
+
+// Represents error object.
+// Ref: #/components/schemas/Error
+type Error struct {
+	Code    int64  `json:"code"`
+	Message string `json:"message"`
+}
+
+// GetCode returns the value of Code.
+func (s *Error) GetCode() int64 {
+	return s.Code
+}
+
+// GetMessage returns the value of Message.
+func (s *Error) GetMessage() string {
+	return s.Message
+}
+
+// SetCode sets the value of Code.
+func (s *Error) SetCode(val int64) {
+	s.Code = val
+}
+
+// SetMessage sets the value of Message.
+func (s *Error) SetMessage(val string) {
+	s.Message = val
+}
+
+// ErrorStatusCode wraps Error with StatusCode.
+type ErrorStatusCode struct {
+	StatusCode int
+	Response   Error
+}
+
+// GetStatusCode returns the value of StatusCode.
+func (s *ErrorStatusCode) GetStatusCode() int {
+	return s.StatusCode
+}
+
+// GetResponse returns the value of Response.
+func (s *ErrorStatusCode) GetResponse() Error {
+	return s.Response
+}
+
+// SetStatusCode sets the value of StatusCode.
+func (s *ErrorStatusCode) SetStatusCode(val int) {
+	s.StatusCode = val
+}
+
+// SetResponse sets the value of Response.
+func (s *ErrorStatusCode) SetResponse(val Error) {
+	s.Response = val
+}
+
+// Ref: #/components/schemas/Id
+type ID struct {
+	ID int64 `json:"ID"`
+}
+
+// GetID returns the value of ID.
+func (s *ID) GetID() int64 {
+	return s.ID
+}
+
+// SetID sets the value of ID.
+func (s *ID) SetID(val int64) {
+	s.ID = val
+}
+
+// NewOptInt32 returns new OptInt32 with value set to v.
+func NewOptInt32(v int32) OptInt32 {
+	return OptInt32{
+		Value: v,
+		Set:   true,
+	}
+}
+
+// OptInt32 is optional int32.
+type OptInt32 struct {
+	Value int32
+	Set   bool
+}
+
+// IsSet returns true if OptInt32 was set.
+func (o OptInt32) IsSet() bool { return o.Set }
+
+// Reset unsets value.
+func (o *OptInt32) Reset() {
+	var v int32
+	o.Value = v
+	o.Set = false
+}
+
+// SetTo sets value to v.
+func (o *OptInt32) SetTo(v int32) {
+	o.Set = true
+	o.Value = v
+}
+
+// Get returns value and boolean that denotes whether value was set.
+func (o OptInt32) Get() (v int32, ok bool) {
+	if !o.Set {
+		return v, false
+	}
+	return o.Value, true
+}
+
+// Or returns value if set, or given parameter if does not.
+func (o OptInt32) Or(d int32) int32 {
+	if v, ok := o.Get(); ok {
+		return v
+	}
+	return d
+}
+
+// NewOptInt64 returns new OptInt64 with value set to v.
+func NewOptInt64(v int64) OptInt64 {
+	return OptInt64{
+		Value: v,
+		Set:   true,
+	}
+}
+
+// OptInt64 is optional int64.
+type OptInt64 struct {
+	Value int64
+	Set   bool
+}
+
+// IsSet returns true if OptInt64 was set.
+func (o OptInt64) IsSet() bool { return o.Set }
+
+// Reset unsets value.
+func (o *OptInt64) Reset() {
+	var v int64
+	o.Value = v
+	o.Set = false
+}
+
+// SetTo sets value to v.
+func (o *OptInt64) SetTo(v int64) {
+	o.Set = true
+	o.Value = v
+}
+
+// Get returns value and boolean that denotes whether value was set.
+func (o OptInt64) Get() (v int64, ok bool) {
+	if !o.Set {
+		return v, false
+	}
+	return o.Value, true
+}
+
+// Or returns value if set, or given parameter if does not.
+func (o OptInt64) Or(d int64) int64 {
+	if v, ok := o.Get(); ok {
+		return v
+	}
+	return d
+}
+
+// NewOptString returns new OptString with value set to v.
+func NewOptString(v string) OptString {
+	return OptString{
+		Value: v,
+		Set:   true,
+	}
+}
+
+// OptString is optional string.
+type OptString struct {
+	Value string
+	Set   bool
+}
+
+// IsSet returns true if OptString was set.
+func (o OptString) IsSet() bool { return o.Set }
+
+// Reset unsets value.
+func (o *OptString) Reset() {
+	var v string
+	o.Value = v
+	o.Set = false
+}
+
+// SetTo sets value to v.
+func (o *OptString) SetTo(v string) {
+	o.Set = true
+	o.Value = v
+}
+
+// Get returns value and boolean that denotes whether value was set.
+func (o OptString) Get() (v string, ok bool) {
+	if !o.Set {
+		return v, false
+	}
+	return o.Value, true
+}
+
+// Or returns value if set, or given parameter if does not.
+func (o OptString) Or(d string) string {
+	if v, ok := o.Get(); ok {
+		return v
+	}
+	return d
+}
+
+// Ref: #/components/schemas/Script
+type Script struct {
+	ID           int64  `json:"ID"`
+	Name         string `json:"Name"`
+	Hash         string `json:"Hash"`
+	Source       string `json:"Source"`
+	ResourceType int32  `json:"ResourceType"`
+	ResourceID   int64  `json:"ResourceID"`
+}
+
+// GetID returns the value of ID.
+func (s *Script) GetID() int64 {
+	return s.ID
+}
+
+// GetName returns the value of Name.
+func (s *Script) GetName() string {
+	return s.Name
+}
+
+// GetHash returns the value of Hash.
+func (s *Script) GetHash() string {
+	return s.Hash
+}
+
+// GetSource returns the value of Source.
+func (s *Script) GetSource() string {
+	return s.Source
+}
+
+// GetResourceType returns the value of ResourceType.
+func (s *Script) GetResourceType() int32 {
+	return s.ResourceType
+}
+
+// GetResourceID returns the value of ResourceID.
+func (s *Script) GetResourceID() int64 {
+	return s.ResourceID
+}
+
+// SetID sets the value of ID.
+func (s *Script) SetID(val int64) {
+	s.ID = val
+}
+
+// SetName sets the value of Name.
+func (s *Script) SetName(val string) {
+	s.Name = val
+}
+
+// SetHash sets the value of Hash.
+func (s *Script) SetHash(val string) {
+	s.Hash = val
+}
+
+// SetSource sets the value of Source.
+func (s *Script) SetSource(val string) {
+	s.Source = val
+}
+
+// SetResourceType sets the value of ResourceType.
+func (s *Script) SetResourceType(val int32) {
+	s.ResourceType = val
+}
+
+// SetResourceID sets the value of ResourceID.
+func (s *Script) SetResourceID(val int64) {
+	s.ResourceID = val
+}
+
+// Ref: #/components/schemas/ScriptCreate
+type ScriptCreate struct {
+	Name         string   `json:"Name"`
+	Source       string   `json:"Source"`
+	ResourceType int32    `json:"ResourceType"`
+	ResourceID   OptInt64 `json:"ResourceID"`
+}
+
+// GetName returns the value of Name.
+func (s *ScriptCreate) GetName() string {
+	return s.Name
+}
+
+// GetSource returns the value of Source.
+func (s *ScriptCreate) GetSource() string {
+	return s.Source
+}
+
+// GetResourceType returns the value of ResourceType.
+func (s *ScriptCreate) GetResourceType() int32 {
+	return s.ResourceType
+}
+
+// GetResourceID returns the value of ResourceID.
+func (s *ScriptCreate) GetResourceID() OptInt64 {
+	return s.ResourceID
+}
+
+// SetName sets the value of Name.
+func (s *ScriptCreate) SetName(val string) {
+	s.Name = val
+}
+
+// SetSource sets the value of Source.
+func (s *ScriptCreate) SetSource(val string) {
+	s.Source = val
+}
+
+// SetResourceType sets the value of ResourceType.
+func (s *ScriptCreate) SetResourceType(val int32) {
+	s.ResourceType = val
+}
+
+// SetResourceID sets the value of ResourceID.
+func (s *ScriptCreate) SetResourceID(val OptInt64) {
+	s.ResourceID = val
+}
+
+// Ref: #/components/schemas/ScriptPolicy
+type ScriptPolicy struct {
+	ID             int64  `json:"ID"`
+	FromScriptHash string `json:"FromScriptHash"`
+	ToScriptID     int64  `json:"ToScriptID"`
+	Policy         int32  `json:"Policy"`
+}
+
+// GetID returns the value of ID.
+func (s *ScriptPolicy) GetID() int64 {
+	return s.ID
+}
+
+// GetFromScriptHash returns the value of FromScriptHash.
+func (s *ScriptPolicy) GetFromScriptHash() string {
+	return s.FromScriptHash
+}
+
+// GetToScriptID returns the value of ToScriptID.
+func (s *ScriptPolicy) GetToScriptID() int64 {
+	return s.ToScriptID
+}
+
+// GetPolicy returns the value of Policy.
+func (s *ScriptPolicy) GetPolicy() int32 {
+	return s.Policy
+}
+
+// SetID sets the value of ID.
+func (s *ScriptPolicy) SetID(val int64) {
+	s.ID = val
+}
+
+// SetFromScriptHash sets the value of FromScriptHash.
+func (s *ScriptPolicy) SetFromScriptHash(val string) {
+	s.FromScriptHash = val
+}
+
+// SetToScriptID sets the value of ToScriptID.
+func (s *ScriptPolicy) SetToScriptID(val int64) {
+	s.ToScriptID = val
+}
+
+// SetPolicy sets the value of Policy.
+func (s *ScriptPolicy) SetPolicy(val int32) {
+	s.Policy = val
+}
+
+// Ref: #/components/schemas/ScriptPolicyCreate
+type ScriptPolicyCreate struct {
+	FromScriptID int64 `json:"FromScriptID"`
+	ToScriptID   int64 `json:"ToScriptID"`
+	Policy       int32 `json:"Policy"`
+}
+
+// GetFromScriptID returns the value of FromScriptID.
+func (s *ScriptPolicyCreate) GetFromScriptID() int64 {
+	return s.FromScriptID
+}
+
+// GetToScriptID returns the value of ToScriptID.
+func (s *ScriptPolicyCreate) GetToScriptID() int64 {
+	return s.ToScriptID
+}
+
+// GetPolicy returns the value of Policy.
+func (s *ScriptPolicyCreate) GetPolicy() int32 {
+	return s.Policy
+}
+
+// SetFromScriptID sets the value of FromScriptID.
+func (s *ScriptPolicyCreate) SetFromScriptID(val int64) {
+	s.FromScriptID = val
+}
+
+// SetToScriptID sets the value of ToScriptID.
+func (s *ScriptPolicyCreate) SetToScriptID(val int64) {
+	s.ToScriptID = val
+}
+
+// SetPolicy sets the value of Policy.
+func (s *ScriptPolicyCreate) SetPolicy(val int32) {
+	s.Policy = val
+}
+
+// UpdateSubmissionValidatedModelNoContent is response for UpdateSubmissionValidatedModel operation.
+type UpdateSubmissionValidatedModelNoContent struct{}
--- a/pkg/internal/oas_server_gen.go
+++ b/pkg/internal/oas_server_gen.go
@@ -0,0 +1,88 @@
+// Code generated by ogen, DO NOT EDIT.
+
+package api
+
+import (
+	"context"
+)
+
+// Handler handles operations described by OpenAPI v3 specification.
+type Handler interface {
+	// ActionSubmissionAccepted implements actionSubmissionAccepted operation.
+	//
+	// (Internal endpoint) Role Validator changes status from Validating -> Accepted.
+	//
+	// POST /submissions/{SubmissionID}/status/validator-failed
+	ActionSubmissionAccepted(ctx context.Context, params ActionSubmissionAcceptedParams) error
+	// ActionSubmissionUploaded implements actionSubmissionUploaded operation.
+	//
+	// (Internal endpoint) Role Validator changes status from Uploading -> Uploaded.
+	//
+	// POST /submissions/{SubmissionID}/status/validator-uploaded
+	ActionSubmissionUploaded(ctx context.Context, params ActionSubmissionUploadedParams) error
+	// ActionSubmissionValidated implements actionSubmissionValidated operation.
+	//
+	// (Internal endpoint) Role Validator changes status from Validating -> Validated.
+	//
+	// POST /submissions/{SubmissionID}/status/validator-validated
+	ActionSubmissionValidated(ctx context.Context, params ActionSubmissionValidatedParams) error
+	// CreateScript implements createScript operation.
+	//
+	// Create a new script.
+	//
+	// POST /scripts
+	CreateScript(ctx context.Context, req *ScriptCreate) (*ID, error)
+	// CreateScriptPolicy implements createScriptPolicy operation.
+	//
+	// Create a new script policy.
+	//
+	// POST /script-policy
+	CreateScriptPolicy(ctx context.Context, req *ScriptPolicyCreate) (*ID, error)
+	// GetScript implements getScript operation.
+	//
+	// Get the specified script by ID.
+	//
+	// GET /scripts/{ScriptID}
+	GetScript(ctx context.Context, params GetScriptParams) (*Script, error)
+	// ListScriptPolicy implements listScriptPolicy operation.
+	//
+	// Get list of script policies.
+	//
+	// GET /script-policy
+	ListScriptPolicy(ctx context.Context, params ListScriptPolicyParams) ([]ScriptPolicy, error)
+	// ListScripts implements listScripts operation.
+	//
+	// Get list of scripts.
+	//
+	// GET /scripts
+	ListScripts(ctx context.Context, params ListScriptsParams) ([]Script, error)
+	// UpdateSubmissionValidatedModel implements updateSubmissionValidatedModel operation.
+	//
+	// Update validated model.
+	//
+	// POST /submissions/{SubmissionID}/validated-model
+	UpdateSubmissionValidatedModel(ctx context.Context, params UpdateSubmissionValidatedModelParams) error
+	// NewError creates *ErrorStatusCode from error returned by handler.
+	//
+	// Used for common default response.
+	NewError(ctx context.Context, err error) *ErrorStatusCode
+}
+
+// Server implements http server based on OpenAPI v3 specification and
+// calls Handler to handle requests.
+type Server struct {
+	h Handler
+	baseServer
+}
+
+// NewServer creates new Server.
+func NewServer(h Handler, opts ...ServerOption) (*Server, error) {
+	s, err := newServerConfig(opts...).baseServer()
+	if err != nil {
+		return nil, err
+	}
+	return &Server{
+		h:          h,
+		baseServer: s,
+	}, nil
+}
--- a/pkg/internal/oas_unimplemented_gen.go
+++ b/pkg/internal/oas_unimplemented_gen.go
@@ -0,0 +1,103 @@
+// Code generated by ogen, DO NOT EDIT.
+
+package api
+
+import (
+	"context"
+
+	ht "github.com/ogen-go/ogen/http"
+)
+
+// UnimplementedHandler is no-op Handler which returns http.ErrNotImplemented.
+type UnimplementedHandler struct{}
+
+var _ Handler = UnimplementedHandler{}
+
+// ActionSubmissionAccepted implements actionSubmissionAccepted operation.
+//
+// (Internal endpoint) Role Validator changes status from Validating -> Accepted.
+//
+// POST /submissions/{SubmissionID}/status/validator-failed
+func (UnimplementedHandler) ActionSubmissionAccepted(ctx context.Context, params ActionSubmissionAcceptedParams) error {
+	return ht.ErrNotImplemented
+}
+
+// ActionSubmissionUploaded implements actionSubmissionUploaded operation.
+//
+// (Internal endpoint) Role Validator changes status from Uploading -> Uploaded.
+//
+// POST /submissions/{SubmissionID}/status/validator-uploaded
+func (UnimplementedHandler) ActionSubmissionUploaded(ctx context.Context, params ActionSubmissionUploadedParams) error {
+	return ht.ErrNotImplemented
+}
+
+// ActionSubmissionValidated implements actionSubmissionValidated operation.
+//
+// (Internal endpoint) Role Validator changes status from Validating -> Validated.
+//
+// POST /submissions/{SubmissionID}/status/validator-validated
+func (UnimplementedHandler) ActionSubmissionValidated(ctx context.Context, params ActionSubmissionValidatedParams) error {
+	return ht.ErrNotImplemented
+}
+
+// CreateScript implements createScript operation.
+//
+// Create a new script.
+//
+// POST /scripts
+func (UnimplementedHandler) CreateScript(ctx context.Context, req *ScriptCreate) (r *ID, _ error) {
+	return r, ht.ErrNotImplemented
+}
+
+// CreateScriptPolicy implements createScriptPolicy operation.
+//
+// Create a new script policy.
+//
+// POST /script-policy
+func (UnimplementedHandler) CreateScriptPolicy(ctx context.Context, req *ScriptPolicyCreate) (r *ID, _ error) {
+	return r, ht.ErrNotImplemented
+}
+
+// GetScript implements getScript operation.
+//
+// Get the specified script by ID.
+//
+// GET /scripts/{ScriptID}
+func (UnimplementedHandler) GetScript(ctx context.Context, params GetScriptParams) (r *Script, _ error) {
+	return r, ht.ErrNotImplemented
+}
+
+// ListScriptPolicy implements listScriptPolicy operation.
+//
+// Get list of script policies.
+//
+// GET /script-policy
+func (UnimplementedHandler) ListScriptPolicy(ctx context.Context, params ListScriptPolicyParams) (r []ScriptPolicy, _ error) {
+	return r, ht.ErrNotImplemented
+}
+
+// ListScripts implements listScripts operation.
+//
+// Get list of scripts.
+//
+// GET /scripts
+func (UnimplementedHandler) ListScripts(ctx context.Context, params ListScriptsParams) (r []Script, _ error) {
+	return r, ht.ErrNotImplemented
+}
+
+// UpdateSubmissionValidatedModel implements updateSubmissionValidatedModel operation.
+//
+// Update validated model.
+//
+// POST /submissions/{SubmissionID}/validated-model
+func (UnimplementedHandler) UpdateSubmissionValidatedModel(ctx context.Context, params UpdateSubmissionValidatedModelParams) error {
+	return ht.ErrNotImplemented
+}
+
+// NewError creates *ErrorStatusCode from error returned by handler.
+//
+// Used for common default response.
+func (UnimplementedHandler) NewError(ctx context.Context, err error) (r *ErrorStatusCode) {
+	r = new(ErrorStatusCode)
+	return r
+}
--- a/pkg/internal/oas_validators_gen.go
+++ b/pkg/internal/oas_validators_gen.go
@@ -0,0 +1,159 @@
+// Code generated by ogen, DO NOT EDIT.
+
+package api
+
+import (
+	"github.com/go-faster/errors"
+
+	"github.com/ogen-go/ogen/validate"
+)
+
+func (s *Script) Validate() error {
+	if s == nil {
+		return validate.ErrNilPointer
+	}
+
+	var failures []validate.FieldError
+	if err := func() error {
+		if err := (validate.String{
+			MinLength:    0,
+			MinLengthSet: false,
+			MaxLength:    128,
+			MaxLengthSet: true,
+			Email:        false,
+			Hostname:     false,
+			Regex:        nil,
+		}).Validate(string(s.Name)); err != nil {
+			return errors.Wrap(err, "string")
+		}
+		return nil
+	}(); err != nil {
+		failures = append(failures, validate.FieldError{
+			Name:  "Name",
+			Error: err,
+		})
+	}
+	if err := func() error {
+		if err := (validate.String{
+			MinLength:    16,
+			MinLengthSet: true,
+			MaxLength:    16,
+			MaxLengthSet: true,
+			Email:        false,
+			Hostname:     false,
+			Regex:        nil,
+		}).Validate(string(s.Hash)); err != nil {
+			return errors.Wrap(err, "string")
+		}
+		return nil
+	}(); err != nil {
+		failures = append(failures, validate.FieldError{
+			Name:  "Hash",
+			Error: err,
+		})
+	}
+	if err := func() error {
+		if err := (validate.String{
+			MinLength:    0,
+			MinLengthSet: false,
+			MaxLength:    1048576,
+			MaxLengthSet: true,
+			Email:        false,
+			Hostname:     false,
+			Regex:        nil,
+		}).Validate(string(s.Source)); err != nil {
+			return errors.Wrap(err, "string")
+		}
+		return nil
+	}(); err != nil {
+		failures = append(failures, validate.FieldError{
+			Name:  "Source",
+			Error: err,
+		})
+	}
+	if len(failures) > 0 {
+		return &validate.Error{Fields: failures}
+	}
+	return nil
+}
+
+func (s *ScriptCreate) Validate() error {
+	if s == nil {
+		return validate.ErrNilPointer
+	}
+
+	var failures []validate.FieldError
+	if err := func() error {
+		if err := (validate.String{
+			MinLength:    0,
+			MinLengthSet: false,
+			MaxLength:    128,
+			MaxLengthSet: true,
+			Email:        false,
+			Hostname:     false,
+			Regex:        nil,
+		}).Validate(string(s.Name)); err != nil {
+			return errors.Wrap(err, "string")
+		}
+		return nil
+	}(); err != nil {
+		failures = append(failures, validate.FieldError{
+			Name:  "Name",
+			Error: err,
+		})
+	}
+	if err := func() error {
+		if err := (validate.String{
+			MinLength:    0,
+			MinLengthSet: false,
+			MaxLength:    1048576,
+			MaxLengthSet: true,
+			Email:        false,
+			Hostname:     false,
+			Regex:        nil,
+		}).Validate(string(s.Source)); err != nil {
+			return errors.Wrap(err, "string")
+		}
+		return nil
+	}(); err != nil {
+		failures = append(failures, validate.FieldError{
+			Name:  "Source",
+			Error: err,
+		})
+	}
+	if len(failures) > 0 {
+		return &validate.Error{Fields: failures}
+	}
+	return nil
+}
+
+func (s *ScriptPolicy) Validate() error {
+	if s == nil {
+		return validate.ErrNilPointer
+	}
+
+	var failures []validate.FieldError
+	if err := func() error {
+		if err := (validate.String{
+			MinLength:    16,
+			MinLengthSet: true,
+			MaxLength:    16,
+			MaxLengthSet: true,
+			Email:        false,
+			Hostname:     false,
+			Regex:        nil,
+		}).Validate(string(s.FromScriptHash)); err != nil {
+			return errors.Wrap(err, "string")
+		}
+		return nil
+	}(); err != nil {
+		failures = append(failures, validate.FieldError{
+			Name:  "FromScriptHash",
+			Error: err,
+		})
+	}
+	if len(failures) > 0 {
+		return &validate.Error{Fields: failures}
+	}
+	return nil
+}
--- a/pkg/model/nats.go
+++ b/pkg/model/nats.go
@@ -8,25 +8,22 @@ package model
 type ValidateRequest struct {
 	// submission_id is passed back in the response message
 	SubmissionID     int64
-	ModelID          uint64
-	ModelVersion     uint64
-	ValidatedModelID uint64 // optional value
+	ModelID          int64
+	ModelVersion     int64
+	ValidatedModelID *int64 // optional value
 }

 // Create a new map
-type PublishNewRequest struct {
+type UploadNewRequest struct {
 	SubmissionID int64
-	ModelID      uint64
-	ModelVersion uint64
-	Creator      string
-	DisplayName  string
-	GameID       uint32
-	//games HashSet<GameID>
+	ModelID      int64
+	ModelVersion int64
+	ModelName    string
 }

-type PublishFixRequest struct {
+type UploadFixRequest struct {
 	SubmissionID  int64
-	ModelID       uint64
-	ModelVersion  uint64
-	TargetAssetID uint64
+	ModelID       int64
+	ModelVersion  int64
+	TargetAssetID int64
 }
--- a/pkg/model/policy.go
+++ b/pkg/model/policy.go
@@ -17,7 +17,7 @@ type ScriptPolicy struct {
 	// Hash of the source code that leads to this policy.
 	// If this is a replacement mapping, the original source may not be pointed to by any policy.
 	// The original source should still exist in the scripts table, which can be located by the same hash.
-	FromScriptHash uint64
+	FromScriptHash int64 // postgres does not support unsigned integers, so we have to pretend
 	// The ID of the replacement source (ScriptPolicyReplace)
 	// or verbatim source (ScriptPolicyAllowed)
 	// or 0 (other)
--- a/pkg/model/script.go
+++ b/pkg/model/script.go
@@ -1,12 +1,42 @@
 package model

-import "time"
+import (
+	"fmt"
+	"strconv"
+	"time"
+
+	"github.com/dchest/siphash"
+)
+
+// compute the hash of a source code string
+func HashSource(source string) uint64{
+	return siphash.Hash(0, 0, []byte(source))
+}
+
+// format a hash value as a hexidecimal string
+func HashFormat(hash uint64) string{
+	return fmt.Sprintf("%016x", hash)
+}
+
+// parse a hexidecimal hash string
+func HashParse(hash string) (uint64, error){
+	return strconv.ParseUint(hash, 16, 64)
+}
+
+type ResourceType int32
+const (
+	ResourceUnknown    ResourceType = 0
+	ResourceMapfix     ResourceType = 1
+	ResourceSubmission ResourceType = 2
+)

 type Script struct {
 	ID           int64 `gorm:"primaryKey"`
-	Hash         uint64
+	Name         string
+	Hash         int64 // postgres does not support unsigned integers, so we have to pretend
 	Source       string
-	SubmissionID int64 // which submission did this script first appear in
+	ResourceType ResourceType // is this a submission or is it a mapfix
+	ResourceID   int64 // which submission / mapfix did this script first appear in
 	CreatedAt    time.Time
 	UpdatedAt    time.Time
 }
--- a/pkg/model/submission.go
+++ b/pkg/model/submission.go
@@ -2,20 +2,24 @@ package model

 import "time"

-type Status int32
+type SubmissionStatus int32

 const (
-	StatusPublished Status = 8
-	StatusRejected  Status = 7
+	// Phase: Final SubmissionStatus
+	SubmissionStatusReleased  SubmissionStatus = 9
+	SubmissionStatusRejected  SubmissionStatus = 8

-	StatusPublishing Status = 6
-	StatusValidated  Status = 5
-	StatusValidating Status = 4
-	StatusAccepted   Status = 3
+	// Phase: Testing
+	SubmissionStatusUploaded   SubmissionStatus = 7 // uploaded to the group, but pending release
+	SubmissionStatusUploading  SubmissionStatus = 6
+	SubmissionStatusValidated  SubmissionStatus = 5
+	SubmissionStatusValidating SubmissionStatus = 4
+	SubmissionStatusAccepted   SubmissionStatus = 3 // pending script review, can re-trigger validation

-	StatusChangesRequested  Status = 2
-	StatusSubmitted         Status = 1
-	StatusUnderConstruction Status = 0
+	// Phase: Creation
+	SubmissionStatusChangesRequested  SubmissionStatus = 2
+	SubmissionStatusSubmitted         SubmissionStatus = 1
+	SubmissionStatusUnderConstruction SubmissionStatus = 0
 )

 type Submission struct {
@@ -25,10 +29,13 @@ type Submission struct {
 	GameID        int32
 	CreatedAt     time.Time
 	UpdatedAt     time.Time
-	Submitter     uint64 // UserID
-	AssetID       uint64
-	AssetVersion  uint64
+	Submitter     int64 // UserID
+	AssetID       int64
+	AssetVersion  int64
+	ValidatedAssetID       int64
+	ValidatedAssetVersion  int64
 	Completed     bool   // Has this version of the map been completed at least once on maptest
-	TargetAssetID uint64 // where to upload map fix.  if the TargetAssetID is 0, it's a new map.
-	StatusID      Status
+	UploadedAssetID        int64 // where to upload map fix.  if the TargetAssetID is 0, it's a new map.
+	StatusID      SubmissionStatus
+	StatusMessage string
 }
--- a/pkg/service/script_policy.go
+++ b/pkg/service/script_policy.go
@@ -2,8 +2,6 @@ package service

 import (
 	"context"
-	"fmt"
-	"strconv"

 	"git.itzana.me/strafesnet/maps-service/pkg/api"
 	"git.itzana.me/strafesnet/maps-service/pkg/datastore"
@@ -16,12 +14,16 @@ import (
 //
 // POST /script-policy
 func (svc *Service) CreateScriptPolicy(ctx context.Context, req *api.ScriptPolicyCreate) (*api.ID, error) {
-	userInfo, ok := ctx.Value("UserInfo").(UserInfo)
+	userInfo, ok := ctx.Value("UserInfo").(UserInfoHandle)
 	if !ok {
 		return nil, ErrUserInfo
 	}

-	if !userInfo.Roles.ScriptWrite {
+	has_role, err := userInfo.HasRoleScriptWrite()
+	if err != nil {
+		return nil, err
+	}
+	if !has_role {
 		return nil, ErrPermissionDenied
 	}

@@ -53,30 +55,38 @@ func (svc *Service) CreateScriptPolicy(ctx context.Context, req *api.ScriptPolic
 // Get list of script policies.
 //
 // GET /script-policy
-func (svc *Service) ListScriptPolicy(ctx context.Context, request *api.ListScriptPolicyReq) ([]api.ScriptPolicy, error) {
+func (svc *Service) ListScriptPolicy(ctx context.Context, params api.ListScriptPolicyParams) ([]api.ScriptPolicy, error) {
 	filter := datastore.Optional()
-	//fmt.Println(request)
-	if request.Filter.IsSet() {
-		filter.AddNotNil("from_script_hash", request.Filter.Value.FromScriptHash)
-		filter.AddNotNil("to_script_id", request.Filter.Value.ToScriptID)
-		filter.AddNotNil("policy", request.Filter.Value.Policy)
+
+	if params.FromScriptHash.IsSet(){
+		hash, err := model.HashParse(params.FromScriptHash.Value)
+		if err != nil {
+			return nil, err
+		}
+		filter.AddNotNil("from_script_hash", int64(hash)) // No type safety!
+	}
+	if params.ToScriptID.IsSet(){
+		filter.AddNotNil("to_script_id", params.ToScriptID.Value)
+	}
+	if params.Policy.IsSet(){
+		filter.AddNotNil("policy", params.Policy.Value)
 	}

 	items, err := svc.DB.ScriptPolicy().List(ctx, filter, model.Page{
-		Number: request.Page.GetPage(),
-		Size:   request.Page.GetLimit(),
+		Number: params.Page,
+		Size:   params.Limit,
 	})
 	if err != nil {
 		return nil, err
 	}

 	var resp []api.ScriptPolicy
-	for i := 0; i < len(items); i++ {
+	for _, item := range items {
 		resp = append(resp, api.ScriptPolicy{
-			ID:             items[i].ID,
-			FromScriptHash: fmt.Sprintf("%x", items[i].FromScriptHash),
-			ToScriptID:     items[i].ToScriptID,
-			Policy:         int32(items[i].Policy),
+			ID:             item.ID,
+			FromScriptHash: model.HashFormat(uint64(item.FromScriptHash)),
+			ToScriptID:     item.ToScriptID,
+			Policy:         int32(item.Policy),
 		})
 	}

@@ -87,14 +97,18 @@ func (svc *Service) ListScriptPolicy(ctx context.Context, request *api.ListScrip
 //
 // Delete the specified script policy by ID.
 //
-// DELETE /script-policy/id/{ScriptPolicyID}
+// DELETE /script-policy/{ScriptPolicyID}
 func (svc *Service) DeleteScriptPolicy(ctx context.Context, params api.DeleteScriptPolicyParams) error {
-	userInfo, ok := ctx.Value("UserInfo").(UserInfo)
+	userInfo, ok := ctx.Value("UserInfo").(UserInfoHandle)
 	if !ok {
 		return ErrUserInfo
 	}

-	if !userInfo.Roles.ScriptWrite {
+	has_role, err := userInfo.HasRoleScriptWrite()
+	if err != nil {
+		return err
+	}
+	if !has_role {
 		return ErrPermissionDenied
 	}

@@ -105,9 +119,9 @@ func (svc *Service) DeleteScriptPolicy(ctx context.Context, params api.DeleteScr
 //
 // Get the specified script policy by ID.
 //
-// GET /script-policy/id/{ScriptPolicyID}
+// GET /script-policy/{ScriptPolicyID}
 func (svc *Service) GetScriptPolicy(ctx context.Context, params api.GetScriptPolicyParams) (*api.ScriptPolicy, error) {
-	_, ok := ctx.Value("UserInfo").(UserInfo)
+	_, ok := ctx.Value("UserInfo").(UserInfoHandle)
 	if !ok {
 		return nil, ErrUserInfo
 	}
@@ -121,39 +135,7 @@ func (svc *Service) GetScriptPolicy(ctx context.Context, params api.GetScriptPol

 	return &api.ScriptPolicy{
 		ID:             policy.ID,
-		FromScriptHash: fmt.Sprintf("%x", policy.FromScriptHash),
-		ToScriptID:     policy.ToScriptID,
-		Policy:         int32(policy.Policy),
-	}, nil
-}
-
-// GetScriptPolicyFromHash implements getScriptPolicyFromHash operation.
-//
-// Get the policy for the given hash of script source code.
-//
-// GET /script-policy/hash/{FromScriptHash}
-func (svc *Service) GetScriptPolicyFromHash(ctx context.Context, params api.GetScriptPolicyFromHashParams) (*api.ScriptPolicy, error) {
-	_, ok := ctx.Value("UserInfo").(UserInfo)
-	if !ok {
-		return nil, ErrUserInfo
-	}
-
-	// Read permission for script policy only requires you to be logged in
-
-	// parse hash from hex
-	hash, err := strconv.ParseUint(params.FromScriptHash, 16, 64)
-	if err != nil {
-		return nil, err
-	}
-
-	policy, err := svc.DB.ScriptPolicy().GetFromHash(ctx, hash)
-	if err != nil {
-		return nil, err
-	}
-
-	return &api.ScriptPolicy{
-		ID:             policy.ID,
-		FromScriptHash: fmt.Sprintf("%x", policy.FromScriptHash),
+		FromScriptHash: model.HashFormat(uint64(policy.FromScriptHash)),
 		ToScriptID:     policy.ToScriptID,
 		Policy:         int32(policy.Policy),
 	}, nil
@@ -163,14 +145,18 @@ func (svc *Service) GetScriptPolicyFromHash(ctx context.Context, params api.GetS
 //
 // Update the specified script policy by ID.
 //
-// PATCH /script-policy/id/{ScriptPolicyID}
+// POST /script-policy/{ScriptPolicyID}
 func (svc *Service) UpdateScriptPolicy(ctx context.Context, req *api.ScriptPolicyUpdate, params api.UpdateScriptPolicyParams) error {
-	userInfo, ok := ctx.Value("UserInfo").(UserInfo)
+	userInfo, ok := ctx.Value("UserInfo").(UserInfoHandle)
 	if !ok {
 		return ErrUserInfo
 	}

-	if !userInfo.Roles.ScriptWrite {
+	has_role, err := userInfo.HasRoleScriptWrite()
+	if err != nil {
+		return err
+	}
+	if !has_role {
 		return ErrPermissionDenied
 	}

--- a/pkg/service/scripts.go
+++ b/pkg/service/scripts.go
@@ -2,12 +2,10 @@ package service

 import (
 	"context"
-	"fmt"

 	"git.itzana.me/strafesnet/maps-service/pkg/api"
 	"git.itzana.me/strafesnet/maps-service/pkg/datastore"
 	"git.itzana.me/strafesnet/maps-service/pkg/model"
-	"github.com/dchest/siphash"
 )

 // CreateScript implements createScript operation.
@@ -16,20 +14,26 @@ import (
 //
 // POST /scripts
 func (svc *Service) CreateScript(ctx context.Context, req *api.ScriptCreate) (*api.ID, error) {
-	userInfo, ok := ctx.Value("UserInfo").(UserInfo)
+	userInfo, ok := ctx.Value("UserInfo").(UserInfoHandle)
 	if !ok {
 		return nil, ErrUserInfo
 	}

-	if !userInfo.Roles.ScriptWrite {
+	has_role, err := userInfo.HasRoleScriptWrite()
+	if err != nil {
+		return nil, err
+	}
+	if !has_role {
 		return nil, ErrPermissionDenied
 	}

 	script, err := svc.DB.Scripts().Create(ctx, model.Script{
 		ID:           0,
-		Hash:         siphash.Hash(0, 0, []byte(req.Source)),
+		Name:         req.Name,
+		Hash:         int64(model.HashSource(req.Source)),
 		Source:       req.Source,
-		SubmissionID: req.SubmissionID.Or(0),
+		ResourceType: model.ResourceType(req.ResourceType),
+		ResourceID:   req.ResourceID.Or(0),
 	})
 	if err != nil {
 		return nil, err
@@ -40,18 +44,69 @@ func (svc *Service) CreateScript(ctx context.Context, req *api.ScriptCreate) (*a
 	}, nil
 }

+// ListScripts implements listScripts operation.
+//
+// Get list of scripts.
+//
+// GET /scripts
+func (svc *Service) ListScripts(ctx context.Context, params api.ListScriptsParams) ([]api.Script, error) {
+	filter := datastore.Optional()
+
+	if params.Hash.IsSet(){
+		hash, err := model.HashParse(params.Hash.Value)
+		if err != nil {
+			return nil, err
+		}
+		filter.AddNotNil("hash", int64(hash)) // No type safety!
+	}
+	if params.Name.IsSet(){
+		filter.AddNotNil("name", params.Name.Value)
+	}
+	if params.Source.IsSet(){
+		filter.AddNotNil("source", params.Source.Value)
+	}
+	if params.SubmissionID.IsSet(){
+		filter.AddNotNil("submission_id", params.SubmissionID.Value)
+	}
+
+	items, err := svc.DB.Scripts().List(ctx, filter, model.Page{
+		Number: params.Page,
+		Size:   params.Limit,
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	var resp []api.Script
+	for _, item := range items {
+		resp = append(resp, api.Script{
+			ID:           item.ID,
+			Hash:         model.HashFormat(uint64(item.Hash)),
+			Source:       item.Source,
+			ResourceType: int32(item.ResourceType),
+			ResourceID:   item.ResourceID,
+		})
+	}
+
+	return resp, nil
+}
+
 // DeleteScript implements deleteScript operation.
 //
 // Delete the specified script by ID.
 //
 // DELETE /scripts/{ScriptID}
 func (svc *Service) DeleteScript(ctx context.Context, params api.DeleteScriptParams) error {
-	userInfo, ok := ctx.Value("UserInfo").(UserInfo)
+	userInfo, ok := ctx.Value("UserInfo").(UserInfoHandle)
 	if !ok {
 		return ErrUserInfo
 	}

-	if !userInfo.Roles.ScriptWrite {
+	has_role, err := userInfo.HasRoleScriptWrite()
+	if err != nil {
+		return err
+	}
+	if !has_role {
 		return ErrPermissionDenied
 	}

@@ -64,7 +119,7 @@ func (svc *Service) DeleteScript(ctx context.Context, params api.DeleteScriptPar
 //
 // GET /scripts/{ScriptID}
 func (svc *Service) GetScript(ctx context.Context, params api.GetScriptParams) (*api.Script, error) {
-	_, ok := ctx.Value("UserInfo").(UserInfo)
+	_, ok := ctx.Value("UserInfo").(UserInfoHandle)
 	if !ok {
 		return nil, ErrUserInfo
 	}
@@ -78,9 +133,11 @@ func (svc *Service) GetScript(ctx context.Context, params api.GetScriptParams) (

 	return &api.Script{
 		ID:           script.ID,
-		Hash:         fmt.Sprintf("%x", script.Hash),
+		Name:         script.Name,
+		Hash:         model.HashFormat(uint64(script.Hash)),
 		Source:       script.Source,
-		SubmissionID: script.SubmissionID,
+		ResourceType: int32(script.ResourceType),
+		ResourceID:   script.ResourceID,
 	}, nil
 }

@@ -90,22 +147,32 @@ func (svc *Service) GetScript(ctx context.Context, params api.GetScriptParams) (
 //
 // PATCH /scripts/{ScriptID}
 func (svc *Service) UpdateScript(ctx context.Context, req *api.ScriptUpdate, params api.UpdateScriptParams) error {
-	userInfo, ok := ctx.Value("UserInfo").(UserInfo)
+	userInfo, ok := ctx.Value("UserInfo").(UserInfoHandle)
 	if !ok {
 		return ErrUserInfo
 	}

-	if !userInfo.Roles.ScriptWrite {
+	has_role, err := userInfo.HasRoleScriptWrite()
+	if err != nil {
+		return err
+	}
+	if !has_role {
 		return ErrPermissionDenied
 	}

 	pmap := datastore.Optional()
+	if Name, ok := req.Name.Get(); ok {
+		pmap.Add("name", Name)
+	}
 	if source, ok := req.Source.Get(); ok {
 		pmap.Add("source", source)
-		pmap.Add("hash", siphash.Hash(0, 0, []byte(source)))
+		pmap.Add("hash", int64(model.HashSource(source))) // No type safety!
 	}
-	if SubmissionID, ok := req.SubmissionID.Get(); ok {
-		pmap.Add("submission_id", SubmissionID)
+	if ResourceType, ok := req.ResourceType.Get(); ok {
+		pmap.Add("resource_type", ResourceType)
+	}
+	if ResourceID, ok := req.ResourceID.Get(); ok {
+		pmap.Add("resource_id", ResourceID)
 	}
 	return svc.DB.Scripts().Update(ctx, req.ID, pmap)
 }
--- a/pkg/service/security.go
+++ b/pkg/service/security.go
@@ -14,30 +14,145 @@ var (
 	ErrInvalidSession = errors.New("Session invalid")
 )

+// Submissions roles bitflag
+type Roles int32
 var (
-	// has SubmissionPublish
-	RoleMapAdmin int32 = 128
-	// has SubmissionReview
-	RoleMapCouncil int32 = 64
+	RolesSubmissionRelease Roles = 1<<4
+	RolesScriptWrite Roles = 1<<3
+	RolesMapUpload Roles = 1<<2
+	RolesMapReview Roles = 1<<1
+	RolesMapDownload Roles = 1<<0
+	RolesEmpty Roles = 0
 )

-type Roles struct {
-	// human roles
-	SubmissionPublish bool
-	SubmissionReview  bool
-	ScriptWrite       bool
-	// automated roles
-	Maptest   bool
-	Validator bool
-}
+// StrafesNET group roles
+type GroupRole int32
+var (
+	// has ScriptWrite
+	RoleQuat GroupRole = 255
+	RoleItzaname GroupRole = 254
+	RoleStagingDeveloper GroupRole = 240
+	RolesAll Roles = RolesScriptWrite|RolesSubmissionRelease|RolesMapUpload|RolesMapReview|RolesMapDownload
+	// has SubmissionUpload
+	RoleMapAdmin GroupRole = 128
+	RolesMapAdmin Roles = RolesSubmissionRelease|RolesMapUpload|RolesMapReview|RolesMapDownload
+	// has SubmissionReview
+	RoleMapCouncil GroupRole = 64
+	RolesMapCouncil Roles = RolesMapReview|RolesMapUpload|RolesMapDownload
+	// access to downloading maps
+	RoleMapAccess GroupRole = 32
+	RolesMapAccess Roles = RolesMapDownload
+)

+type UserInfoHandle struct {
+	// Would love to know a better way to do this
+	svc       *SecurityHandler
+	ctx       *context.Context
+	sessionId string
+}
 type UserInfo struct {
-	Roles  Roles
-	UserID uint64
+	UserID    uint64
+	Username  string
+	AvatarURL string
 }

-func (usr UserInfo) IsSubmitter(submitter uint64) bool {
-	return usr.UserID == submitter
+func (usr UserInfoHandle) GetUserInfo() (userInfo UserInfo, err error) {
+	session, err := usr.svc.Client.GetSessionUser(*usr.ctx, &auth.IdMessage{
+		SessionID: usr.sessionId,
+	})
+	if err != nil {
+		return userInfo, err
+	}
+	userInfo.UserID = session.UserID
+	userInfo.Username = session.Username
+	userInfo.AvatarURL = session.AvatarURL
+	return userInfo, nil
+}
+func (usr UserInfoHandle) GetUserID() (uint64, error) {
+	session, err := usr.svc.Client.GetSessionUser(*usr.ctx, &auth.IdMessage{
+		SessionID: usr.sessionId,
+	})
+	if err != nil {
+		return 0, err
+	}
+	return session.UserID, nil
+}
+func (usr UserInfoHandle) Validate() (bool, error) {
+	validate, err := usr.svc.Client.ValidateSession(*usr.ctx, &auth.IdMessage{
+		SessionID: usr.sessionId,
+	})
+	if err != nil {
+		return false, err
+	}
+	return validate.Valid, nil
+}
+func (usr UserInfoHandle) IsSubmitter(submitter uint64) (bool, error) {
+	userId, err := usr.GetUserID()
+	if err != nil {
+		return false, err
+	}
+	return userId == submitter, nil
+}
+func (usr UserInfoHandle) hasRoles(wantRoles Roles) (bool, error) {
+	haveroles, err := usr.GetRoles()
+	if err != nil {
+		return false, err
+	}
+
+	return haveroles & wantRoles == wantRoles, nil
+}
+func (usr UserInfoHandle) GetRoles() (Roles, error) {
+	roles, err := usr.svc.Client.GetGroupRole(*usr.ctx, &auth.IdMessage{
+		SessionID: usr.sessionId,
+	})
+
+	if err != nil {
+		return RolesEmpty, err
+	}
+
+	// map roles into bitflag
+	rolesBitflag := RolesEmpty;
+	for _, r := range roles.Roles {
+		switch GroupRole(r.Rank){
+		case RoleQuat, RoleItzaname, RoleStagingDeveloper:
+			rolesBitflag|=RolesAll
+		case RoleMapAdmin:
+			rolesBitflag|=RolesMapAdmin
+		case RoleMapCouncil:
+			rolesBitflag|=RolesMapCouncil
+		case RoleMapAccess:
+			rolesBitflag|=RolesMapAccess
+		}
+	}
+	return rolesBitflag, nil
+}
+
+// RoleThumbnail
+func (usr UserInfoHandle) HasRoleMapfixUpload() (bool, error) {
+	return usr.hasRoles(RolesMapUpload)
+}
+func (usr UserInfoHandle) HasRoleMapfixReview() (bool, error) {
+	return usr.hasRoles(RolesMapReview)
+}
+func (usr UserInfoHandle) HasRoleMapDownload() (bool, error) {
+	return usr.hasRoles(RolesMapDownload)
+}
+func (usr UserInfoHandle) HasRoleSubmissionRelease() (bool, error) {
+	return usr.hasRoles(RolesSubmissionRelease)
+}
+func (usr UserInfoHandle) HasRoleSubmissionUpload() (bool, error) {
+	return usr.hasRoles(RolesMapUpload)
+}
+func (usr UserInfoHandle) HasRoleSubmissionReview() (bool, error) {
+	return usr.hasRoles(RolesMapReview)
+}
+func (usr UserInfoHandle) HasRoleScriptWrite() (bool, error) {
+	return usr.hasRoles(RolesScriptWrite)
+}
+/// Not implemented
+func (usr UserInfoHandle) HasRoleMaptest() (bool, error) {
+	println("HasRoleMaptest is not implemented!")
+	return false, nil
 }

 type SecurityHandler struct {
@@ -50,45 +165,10 @@ func (svc SecurityHandler) HandleCookieAuth(ctx context.Context, operationName a
 		return nil, ErrMissingSessionID
 	}

-	session, err := svc.Client.GetSessionUser(ctx, &auth.IdMessage{
-		SessionID: sessionId,
-	})
-	if err != nil {
-		return nil, err
-	}
-
-	role, err := svc.Client.GetGroupRole(ctx, &auth.IdMessage{
-		SessionID: sessionId,
-	})
-	if err != nil {
-		return nil, err
-	}
-
-	validate, err := svc.Client.ValidateSession(ctx, &auth.IdMessage{
-		SessionID: sessionId,
-	})
-	if err != nil {
-		return nil, err
-	}
-	if !validate.Valid {
-		return nil, ErrInvalidSession
-	}
-
-	roles := Roles{}
-
-	// fix this when roblox udpates group roles
-	for _, r := range role.Roles {
-		if RoleMapAdmin <= r.Rank {
-			roles.SubmissionPublish = true
-		}
-		if RoleMapCouncil <= r.Rank {
-			roles.SubmissionReview = true
-		}
-	}
-
-	newCtx := context.WithValue(ctx, "UserInfo", UserInfo{
-		Roles:  roles,
-		UserID: session.UserID,
+	newCtx := context.WithValue(ctx, "UserInfo", UserInfoHandle{
+		svc:       &svc,
+		ctx:       &ctx,
+		sessionId: sessionId,
 	})

 	return newCtx, nil
--- a/pkg/service/service.go
+++ b/pkg/service/service.go
@@ -3,6 +3,9 @@ package service
 import (
 	"context"
 	"errors"
+	"fmt"
+
+	"git.itzana.me/strafesnet/go-grpc/maps"
 	"git.itzana.me/strafesnet/maps-service/pkg/api"
 	"git.itzana.me/strafesnet/maps-service/pkg/datastore"
 	"github.com/nats-io/nats.go"
@@ -13,11 +16,20 @@ var (
 	ErrPermissionDenied = errors.New("Permission denied")
 	// ErrUserInfo user info is missing for some reason
 	ErrUserInfo = errors.New("Missing user info")
+	ErrDelayReset = errors.New("Please give the validator at least 10 seconds to operate before attempting to reset the status")
+	ErrPermissionDeniedNotSubmitter = fmt.Errorf("%w: You must be the submitter to perform this action", ErrPermissionDenied)
+	ErrPermissionDeniedNeedRoleSubmissionRelease = fmt.Errorf("%w: Need Role SubmissionRelease", ErrPermissionDenied)
+	ErrPermissionDeniedNeedRoleMapUpload = fmt.Errorf("%w: Need Role MapUpload", ErrPermissionDenied)
+	ErrPermissionDeniedNeedRoleMapReview = fmt.Errorf("%w: Need Role MapReview", ErrPermissionDenied)
+	ErrPermissionDeniedNeedRoleMapDownload = fmt.Errorf("%w: Need Role MapDownload", ErrPermissionDenied)
+	ErrPermissionDeniedNeedRoleScriptWrite = fmt.Errorf("%w: Need Role ScriptWrite", ErrPermissionDenied)
+	ErrPermissionDeniedNeedRoleMaptest = fmt.Errorf("%w: Need Role Maptest", ErrPermissionDenied)
 )

 type Service struct {
 	DB   datastore.Datastore
 	Nats nats.JetStreamContext
+	Client maps.MapsServiceClient
 }

 // NewError creates *ErrorStatusCode from error returned by handler.
@@ -25,6 +37,9 @@ type Service struct {
 // Used for common default response.
 func (svc *Service) NewError(ctx context.Context, err error) *api.ErrorStatusCode {
 	status := 500
+	if errors.Is(err, datastore.ErrNotExist) {
+		status = 404
+	}
 	if errors.Is(err, ErrPermissionDenied) {
 		status = 403
 	}
--- a/pkg/service/session.go
+++ b/pkg/service/session.go
@@ -0,0 +1,68 @@
+package service
+
+import (
+	"context"
+
+	"git.itzana.me/strafesnet/maps-service/pkg/api"
+)
+
+// SessionRoles implements getSessionRoles operation.
+//
+// Get bitflags of permissions the currently logged in user has.
+//
+// GET /session/roles
+func (svc *Service) SessionRoles(ctx context.Context) (*api.Roles, error) {
+	userInfo, ok := ctx.Value("UserInfo").(UserInfoHandle)
+	if !ok {
+		return nil, ErrUserInfo
+	}
+
+	roles, err := userInfo.GetRoles();
+	if err != nil {
+		return nil, err
+	}
+
+	return &api.Roles{Roles: int32(roles)}, nil
+}
+
+// SessionUser implements sessionUser operation.
+//
+// Get information about the currently logged in user.
+//
+// GET /session/roles
+func (svc *Service) SessionUser(ctx context.Context) (*api.User, error) {
+	userInfoHandle, ok := ctx.Value("UserInfo").(UserInfoHandle)
+	if !ok {
+		return nil, ErrUserInfo
+	}
+
+	userInfo, err := userInfoHandle.GetUserInfo();
+	if err != nil {
+		return nil, err
+	}
+
+	return &api.User{
+		UserID:int64(userInfo.UserID),
+		Username:userInfo.Username,
+		AvatarURL:userInfo.AvatarURL,
+	}, nil
+}
+
+// SessionUser implements sessionUser operation.
+//
+// Get information about the currently logged in user.
+//
+// GET /session/roles
+func (svc *Service) SessionValidate(ctx context.Context) (bool, error) {
+	userInfoHandle, ok := ctx.Value("UserInfo").(UserInfoHandle)
+	if !ok {
+		return false, ErrUserInfo
+	}
+
+	valid, err := userInfoHandle.Validate();
+	if err != nil {
+		return false, err
+	}
+
+	return valid, nil
+}
--- a/pkg/service/submissions.go
+++ b/pkg/service/submissions.go
@@ -3,30 +3,109 @@ package service
 import (
 	"context"
 	"encoding/json"
+	"errors"
+	"fmt"
+	"time"

+	"git.itzana.me/strafesnet/go-grpc/maps"
 	"git.itzana.me/strafesnet/maps-service/pkg/api"
 	"git.itzana.me/strafesnet/maps-service/pkg/datastore"
 	"git.itzana.me/strafesnet/maps-service/pkg/model"
 )

+var(
+	CreationPhaseSubmissionsLimit = 20
+	CreationPhaseSubmissionStatuses = []model.SubmissionStatus{
+		model.SubmissionStatusChangesRequested,
+		model.SubmissionStatusSubmitted,
+		model.SubmissionStatusUnderConstruction,
+	}
+	// prevent two mapfixes with same asset id
+	ActiveSubmissionStatuses = []model.SubmissionStatus{
+		model.SubmissionStatusUploading,
+		model.SubmissionStatusValidated,
+		model.SubmissionStatusValidating,
+		model.SubmissionStatusAccepted,
+		model.SubmissionStatusChangesRequested,
+		model.SubmissionStatusSubmitted,
+		model.SubmissionStatusUnderConstruction,
+	}
+	// limit mapfixes in the pipeline to one per target map
+	ActiveAcceptedSubmissionStatuses = []model.SubmissionStatus{
+		model.SubmissionStatusUploading,
+		model.SubmissionStatusValidated,
+		model.SubmissionStatusValidating,
+		model.SubmissionStatusAccepted,
+	}
+)
+
+var (
+	ErrCreationPhaseSubmissionsLimit = errors.New("Active submissions limited to 20")
+	ErrActiveSubmissionSameAssetID = errors.New("There is an active submission with the same AssetID")
+	ErrUploadedAssetIDAlreadyExists = errors.New("The submission UploadedAssetID is already set")
+	ErrReleaseInvalidStatus = errors.New("Only submissions with Uploaded status can be released")
+	ErrReleaseNoUploadedAssetID = errors.New("Only submissions with a UploadedAssetID can be released")
+	ErrAcceptOwnSubmission = fmt.Errorf("%w: You cannot accept your own submission as the submitter", ErrPermissionDenied)
+)
+
 // POST /submissions
 func (svc *Service) CreateSubmission(ctx context.Context, request *api.SubmissionCreate) (*api.ID, error) {
-	userInfo, ok := ctx.Value("UserInfo").(UserInfo)
+	userInfo, ok := ctx.Value("UserInfo").(UserInfoHandle)
 	if !ok {
 		return nil, ErrUserInfo
 	}

+	userId, err := userInfo.GetUserID()
+	if err != nil {
+		return nil, err
+	}
+
+	// Check if user's submissions in the creation phase exceeds the limit
+	{
+		filter := datastore.Optional()
+		filter.Add("submitter", int64(userId))
+		filter.Add("status_id", CreationPhaseSubmissionStatuses)
+		creation_submissions, err := svc.DB.Submissions().List(ctx, filter, model.Page{
+			Number: 1,
+			Size:   int32(CreationPhaseSubmissionsLimit),
+		},datastore.ListSortDisabled)
+		if err != nil {
+			return nil, err
+		}
+
+		if CreationPhaseSubmissionsLimit <= len(creation_submissions) {
+			return nil, ErrCreationPhaseSubmissionsLimit
+		}
+	}
+
+	// Check if an active submission with the same asset id exists
+	{
+		filter := datastore.Optional()
+		filter.Add("asset_id", request.AssetID)
+		filter.Add("asset_version", request.AssetVersion)
+		filter.Add("status_id", ActiveSubmissionStatuses)
+		active_submissions, err := svc.DB.Submissions().List(ctx, filter, model.Page{
+			Number: 1,
+			Size:   1,
+		},datastore.ListSortDisabled)
+		if err != nil {
+			return nil, err
+		}
+		if len(active_submissions) != 0{
+			return nil, ErrActiveSubmissionSameAssetID
+		}
+	}
+
 	submission, err := svc.DB.Submissions().Create(ctx, model.Submission{
 		ID:            0,
 		DisplayName:   request.DisplayName,
 		Creator:       request.Creator,
 		GameID:        request.GameID,
-		Submitter:     userInfo.UserID,
-		AssetID:       uint64(request.AssetID),
-		AssetVersion:  uint64(request.AssetVersion),
+		Submitter:     int64(userId),
+		AssetID:       request.AssetID,
+		AssetVersion:  request.AssetVersion,
 		Completed:     false,
-		TargetAssetID: uint64(request.TargetAssetID.Value),
-		StatusID:      model.StatusUnderConstruction,
+		StatusID:      model.SubmissionStatusUnderConstruction,
 	})
 	if err != nil {
 		return nil, err
@@ -57,8 +136,9 @@ func (svc *Service) GetSubmission(ctx context.Context, params api.GetSubmissionP
 		AssetID:       int64(submission.AssetID),
 		AssetVersion:  int64(submission.AssetVersion),
 		Completed:     submission.Completed,
-		TargetAssetID: api.NewOptInt64(int64(submission.TargetAssetID)),
+		UploadedAssetID: api.NewOptInt64(int64(submission.UploadedAssetID)),
 		StatusID:      int32(submission.StatusID),
+		StatusMessage: submission.StatusMessage,
 	}, nil
 }

@@ -67,38 +147,44 @@ func (svc *Service) GetSubmission(ctx context.Context, params api.GetSubmissionP
 // Get list of submissions.
 //
 // GET /submissions
-func (svc *Service) ListSubmissions(ctx context.Context, request *api.ListSubmissionsReq) ([]api.Submission, error) {
+func (svc *Service) ListSubmissions(ctx context.Context, params api.ListSubmissionsParams) ([]api.Submission, error) {
 	filter := datastore.Optional()
-	//fmt.Println(request)
-	if request.Filter.IsSet() {
-		filter.AddNotNil("display_name", request.Filter.Value.DisplayName)
-		filter.AddNotNil("creator", request.Filter.Value.Creator)
-		filter.AddNotNil("game_id", request.Filter.Value.GameID)
+
+	if params.DisplayName.IsSet(){
+		filter.Add("display_name", params.DisplayName.Value)
+	}
+	if params.Creator.IsSet(){
+		filter.Add("creator", params.Creator.Value)
+	}
+	if params.GameID.IsSet(){
+		filter.Add("game_id", params.GameID.Value)
 	}

+	sort := datastore.ListSort(params.Sort.Or(int32(datastore.ListSortDisabled)))
+
 	items, err := svc.DB.Submissions().List(ctx, filter, model.Page{
-		Number: request.Page.GetPage(),
-		Size:   request.Page.GetLimit(),
-	})
+		Number: params.Page,
+		Size:   params.Limit,
+	},sort)
 	if err != nil {
 		return nil, err
 	}

 	var resp []api.Submission
-	for i := 0; i < len(items); i++ {
+	for _, item := range items {
 		resp = append(resp, api.Submission{
-			ID:            items[i].ID,
-			DisplayName:   items[i].DisplayName,
-			Creator:       items[i].Creator,
-			GameID:        items[i].GameID,
-			CreatedAt:     items[i].CreatedAt.Unix(),
-			UpdatedAt:     items[i].UpdatedAt.Unix(),
-			Submitter:     int64(items[i].Submitter),
-			AssetID:       int64(items[i].AssetID),
-			AssetVersion:  int64(items[i].AssetVersion),
-			Completed:     items[i].Completed,
-			TargetAssetID: api.NewOptInt64(int64(items[i].TargetAssetID)),
-			StatusID:      int32(items[i].StatusID),
+			ID:            item.ID,
+			DisplayName:   item.DisplayName,
+			Creator:       item.Creator,
+			GameID:        item.GameID,
+			CreatedAt:     item.CreatedAt.Unix(),
+			UpdatedAt:     item.UpdatedAt.Unix(),
+			Submitter:     int64(item.Submitter),
+			AssetID:       int64(item.AssetID),
+			AssetVersion:  int64(item.AssetVersion),
+			Completed:     item.Completed,
+			UploadedAssetID: api.NewOptInt64(int64(item.UploadedAssetID)),
+			StatusID:      int32(item.StatusID),
 		})
 	}

@@ -111,29 +197,32 @@ func (svc *Service) ListSubmissions(ctx context.Context, request *api.ListSubmis
 //
 // POST /submissions/{SubmissionID}/completed
 func (svc *Service) SetSubmissionCompleted(ctx context.Context, params api.SetSubmissionCompletedParams) error {
-	userInfo, ok := ctx.Value("UserInfo").(UserInfo)
+	userInfo, ok := ctx.Value("UserInfo").(UserInfoHandle)
 	if !ok {
 		return ErrUserInfo
 	}

+	has_role, err := userInfo.HasRoleMaptest()
+	if err != nil {
+		return err
+	}
 	// check if caller has MaptestGame role (request must originate from a maptest roblox game)
-	if !userInfo.Roles.Maptest {
-		return ErrPermissionDenied
+	if !has_role {
+		return ErrPermissionDeniedNeedRoleMaptest
 	}

 	pmap := datastore.Optional()
 	pmap.Add("completed", true)
-	err := svc.DB.Submissions().Update(ctx, params.SubmissionID, pmap)
-	return err
+	return svc.DB.Submissions().Update(ctx, params.SubmissionID, pmap)
 }

-// PatchSubmissionModel implements patchSubmissionModel operation.
+// UpdateSubmissionModel implements patchSubmissionModel operation.
 //
 // Update model following role restrictions.
 //
 // POST /submissions/{SubmissionID}/model
 func (svc *Service) UpdateSubmissionModel(ctx context.Context, params api.UpdateSubmissionModelParams) error {
-	userInfo, ok := ctx.Value("UserInfo").(UserInfo)
+	userInfo, ok := ctx.Value("UserInfo").(UserInfoHandle)
 	if !ok {
 		return ErrUserInfo
 	}
@@ -144,9 +233,13 @@ func (svc *Service) UpdateSubmissionModel(ctx context.Context, params api.Update
 		return err
 	}

+	has_role, err := userInfo.IsSubmitter(uint64(submission.Submitter))
+	if err != nil {
+		return err
+	}
 	// check if caller is the submitter
-	if !userInfo.IsSubmitter(submission.Submitter) {
-		return ErrPermissionDenied
+	if !has_role {
+		return ErrPermissionDeniedNotSubmitter
 	}

 	// check if Status is ChangesRequested|Submitted|UnderConstruction
@@ -155,21 +248,7 @@ func (svc *Service) UpdateSubmissionModel(ctx context.Context, params api.Update
 	pmap.AddNotNil("asset_version", params.VersionID)
 	//always reset completed when model changes
 	pmap.Add("completed", false)
-	return svc.DB.Submissions().IfStatusThenUpdate(ctx, params.SubmissionID, []model.Status{model.StatusChangesRequested, model.StatusSubmitted, model.StatusUnderConstruction}, pmap)
-}
-
-// ActionSubmissionPublish invokes actionSubmissionPublish operation.
-//
-// Role Validator changes status from Publishing -> Published.
-//
-// POST /submissions/{SubmissionID}/status/publish
-func (svc *Service) ActionSubmissionPublish(ctx context.Context, params api.ActionSubmissionPublishParams) error {
-	println("[ActionSubmissionPublish] Implicit Validator permission granted!")
-
-	// transaction
-	smap := datastore.Optional()
-	smap.Add("status_id", model.StatusPublished)
-	return svc.DB.Submissions().IfStatusThenUpdate(ctx, params.SubmissionID, []model.Status{model.StatusPublishing}, smap)
+	return svc.DB.Submissions().IfStatusThenUpdate(ctx, params.SubmissionID, []model.SubmissionStatus{model.SubmissionStatusChangesRequested, model.SubmissionStatusSubmitted, model.SubmissionStatusUnderConstruction}, pmap)
 }

 // ActionSubmissionReject invokes actionSubmissionReject operation.
@@ -178,20 +257,24 @@ func (svc *Service) ActionSubmissionPublish(ctx context.Context, params api.Acti
 //
 // POST /submissions/{SubmissionID}/status/reject
 func (svc *Service) ActionSubmissionReject(ctx context.Context, params api.ActionSubmissionRejectParams) error {
-	userInfo, ok := ctx.Value("UserInfo").(UserInfo)
+	userInfo, ok := ctx.Value("UserInfo").(UserInfoHandle)
 	if !ok {
 		return ErrUserInfo
 	}

+	has_role, err := userInfo.HasRoleSubmissionReview()
+	if err != nil {
+		return err
+	}
 	// check if caller has required role
-	if !userInfo.Roles.SubmissionReview {
-		return ErrPermissionDenied
+	if !has_role {
+		return ErrPermissionDeniedNeedRoleMapReview
 	}

 	// transaction
 	smap := datastore.Optional()
-	smap.Add("status_id", model.StatusRejected)
-	return svc.DB.Submissions().IfStatusThenUpdate(ctx, params.SubmissionID, []model.Status{model.StatusSubmitted}, smap)
+	smap.Add("status_id", model.SubmissionStatusRejected)
+	return svc.DB.Submissions().IfStatusThenUpdate(ctx, params.SubmissionID, []model.SubmissionStatus{model.SubmissionStatusSubmitted}, smap)
 }

 // ActionSubmissionRequestChanges invokes actionSubmissionRequestChanges operation.
@@ -200,20 +283,24 @@ func (svc *Service) ActionSubmissionReject(ctx context.Context, params api.Actio
 //
 // POST /submissions/{SubmissionID}/status/request-changes
 func (svc *Service) ActionSubmissionRequestChanges(ctx context.Context, params api.ActionSubmissionRequestChangesParams) error {
-	userInfo, ok := ctx.Value("UserInfo").(UserInfo)
+	userInfo, ok := ctx.Value("UserInfo").(UserInfoHandle)
 	if !ok {
 		return ErrUserInfo
 	}

+	has_role, err := userInfo.HasRoleSubmissionReview()
+	if err != nil {
+		return err
+	}
 	// check if caller has required role
-	if !userInfo.Roles.SubmissionReview {
-		return ErrPermissionDenied
+	if !has_role {
+		return ErrPermissionDeniedNeedRoleMapReview
 	}

 	// transaction
 	smap := datastore.Optional()
-	smap.Add("status_id", model.StatusChangesRequested)
-	return svc.DB.Submissions().IfStatusThenUpdate(ctx, params.SubmissionID, []model.Status{model.StatusValidated, model.StatusAccepted, model.StatusSubmitted}, smap)
+	smap.Add("status_id", model.SubmissionStatusChangesRequested)
+	return svc.DB.Submissions().IfStatusThenUpdate(ctx, params.SubmissionID, []model.SubmissionStatus{model.SubmissionStatusValidated, model.SubmissionStatusAccepted, model.SubmissionStatusSubmitted}, smap)
 }

 // ActionSubmissionRevoke invokes actionSubmissionRevoke operation.
@@ -222,7 +309,7 @@ func (svc *Service) ActionSubmissionRequestChanges(ctx context.Context, params a
 //
 // POST /submissions/{SubmissionID}/status/revoke
 func (svc *Service) ActionSubmissionRevoke(ctx context.Context, params api.ActionSubmissionRevokeParams) error {
-	userInfo, ok := ctx.Value("UserInfo").(UserInfo)
+	userInfo, ok := ctx.Value("UserInfo").(UserInfoHandle)
 	if !ok {
 		return ErrUserInfo
 	}
@@ -233,15 +320,19 @@ func (svc *Service) ActionSubmissionRevoke(ctx context.Context, params api.Actio
 		return err
 	}

+	has_role, err := userInfo.IsSubmitter(uint64(submission.Submitter))
+	if err != nil {
+		return err
+	}
 	// check if caller is the submitter
-	if !userInfo.IsSubmitter(submission.Submitter) {
-		return ErrPermissionDenied
+	if !has_role {
+		return ErrPermissionDeniedNotSubmitter
 	}

 	// transaction
 	smap := datastore.Optional()
-	smap.Add("status_id", model.StatusUnderConstruction)
-	return svc.DB.Submissions().IfStatusThenUpdate(ctx, params.SubmissionID, []model.Status{model.StatusSubmitted, model.StatusChangesRequested}, smap)
+	smap.Add("status_id", model.SubmissionStatusUnderConstruction)
+	return svc.DB.Submissions().IfStatusThenUpdate(ctx, params.SubmissionID, []model.SubmissionStatus{model.SubmissionStatusSubmitted, model.SubmissionStatusChangesRequested}, smap)
 }

 // ActionSubmissionSubmit invokes actionSubmissionSubmit operation.
@@ -250,7 +341,7 @@ func (svc *Service) ActionSubmissionRevoke(ctx context.Context, params api.Actio
 //
 // POST /submissions/{SubmissionID}/status/submit
 func (svc *Service) ActionSubmissionSubmit(ctx context.Context, params api.ActionSubmissionSubmitParams) error {
-	userInfo, ok := ctx.Value("UserInfo").(UserInfo)
+	userInfo, ok := ctx.Value("UserInfo").(UserInfoHandle)
 	if !ok {
 		return ErrUserInfo
 	}
@@ -261,99 +352,149 @@ func (svc *Service) ActionSubmissionSubmit(ctx context.Context, params api.Actio
 		return err
 	}

+	has_role, err := userInfo.IsSubmitter(uint64(submission.Submitter))
+	if err != nil {
+		return err
+	}
 	// check if caller is the submitter
-	if !userInfo.IsSubmitter(submission.Submitter) {
-		return ErrPermissionDenied
+	if !has_role {
+		return ErrPermissionDeniedNotSubmitter
 	}

 	// transaction
 	smap := datastore.Optional()
-	smap.Add("status_id", model.StatusSubmitted)
-	return svc.DB.Submissions().IfStatusThenUpdate(ctx, params.SubmissionID, []model.Status{model.StatusUnderConstruction, model.StatusChangesRequested}, smap)
+	smap.Add("status_id", model.SubmissionStatusSubmitted)
+	return svc.DB.Submissions().IfStatusThenUpdate(ctx, params.SubmissionID, []model.SubmissionStatus{model.SubmissionStatusUnderConstruction, model.SubmissionStatusChangesRequested}, smap)
 }

-// ActionSubmissionTriggerPublish invokes actionSubmissionTriggerPublish operation.
+// ActionSubmissionTriggerUpload invokes actionSubmissionTriggerUpload operation.
 //
-// Role Admin changes status from Validated -> Publishing.
+// Role Admin changes status from Validated -> Uploading.
 //
-// POST /submissions/{SubmissionID}/status/trigger-publish
-func (svc *Service) ActionSubmissionTriggerPublish(ctx context.Context, params api.ActionSubmissionTriggerPublishParams) error {
-	userInfo, ok := ctx.Value("UserInfo").(UserInfo)
+// POST /submissions/{SubmissionID}/status/trigger-upload
+func (svc *Service) ActionSubmissionTriggerUpload(ctx context.Context, params api.ActionSubmissionTriggerUploadParams) error {
+	userInfo, ok := ctx.Value("UserInfo").(UserInfoHandle)
 	if !ok {
 		return ErrUserInfo
 	}

+	has_role, err := userInfo.HasRoleSubmissionUpload()
+	if err != nil {
+		return err
+	}
 	// check if caller has required role
-	if !userInfo.Roles.SubmissionPublish {
-		return ErrPermissionDenied
+	if !has_role {
+		return ErrPermissionDeniedNeedRoleMapUpload
 	}

 	// transaction
 	smap := datastore.Optional()
-	smap.Add("status_id", model.StatusPublishing)
-	submission, err := svc.DB.Submissions().IfStatusThenUpdateAndGet(ctx, params.SubmissionID, []model.Status{model.StatusValidated}, smap)
+	smap.Add("status_id", model.SubmissionStatusUploading)
+	submission, err := svc.DB.Submissions().IfStatusThenUpdateAndGet(ctx, params.SubmissionID, []model.SubmissionStatus{model.SubmissionStatusValidated}, smap)
 	if err != nil {
 		return err
 	}

 	// sentinel value because we are not using rust
-	if submission.TargetAssetID == 0 {
+	if submission.UploadedAssetID == 0 {
 		// this is a new map
-		publish_new_request := model.PublishNewRequest{
+		upload_new_request := model.UploadNewRequest{
 			SubmissionID: submission.ID,
-			ModelID:      submission.AssetID,
-			ModelVersion: submission.AssetVersion,
-			Creator:      submission.Creator,
-			DisplayName:  submission.DisplayName,
-			GameID:       uint32(submission.GameID),
+			ModelID:      submission.ValidatedAssetID,
+			ModelVersion: submission.ValidatedAssetVersion,
+			// upload as displayname, whatever
+			ModelName:    submission.DisplayName,
 		}

-		j, err := json.Marshal(publish_new_request)
+		j, err := json.Marshal(upload_new_request)
 		if err != nil {
 			return err
 		}

-		svc.Nats.Publish("maptest.submissions.publishnew", []byte(j))
+		svc.Nats.Publish("maptest.submissions.upload", []byte(j))
 	} else {
-		// this is a map fix
-		publish_fix_request := model.PublishFixRequest{
-			SubmissionID:  submission.ID,
-			ModelID:       submission.AssetID,
-			ModelVersion:  submission.AssetVersion,
-			TargetAssetID: submission.TargetAssetID,
-		}
-
-		j, err := json.Marshal(publish_fix_request)
-		if err != nil {
-			return err
-		}
-
-		svc.Nats.Publish("maptest.submissions.publishfix", []byte(j))
+		// refuse to operate
+		return ErrUploadedAssetIDAlreadyExists
 	}

 	return nil
 }

-// ActionSubmissionTriggerValidate invokes actionSubmissionTriggerValidate operation.
+// ActionSubmissionValidate invokes actionSubmissionValidate operation.
 //
-// Role Reviewer triggers validation and changes status from Submitted|Accepted -> Validating.
+// Role SubmissionRelease changes status from Uploading -> Validated.
 //
-// POST /submissions/{SubmissionID}/status/trigger-validate
-func (svc *Service) ActionSubmissionTriggerValidate(ctx context.Context, params api.ActionSubmissionTriggerValidateParams) error {
-	userInfo, ok := ctx.Value("UserInfo").(UserInfo)
+// POST /submissions/{SubmissionID}/status/reset-uploading
+func (svc *Service) ActionSubmissionValidated(ctx context.Context, params api.ActionSubmissionValidatedParams) error {
+	userInfo, ok := ctx.Value("UserInfo").(UserInfoHandle)
 	if !ok {
 		return ErrUserInfo
 	}

+	has_role, err := userInfo.HasRoleSubmissionUpload()
+	if err != nil {
+		return err
+	}
 	// check if caller has required role
-	if !userInfo.Roles.SubmissionReview {
-		return ErrPermissionDenied
+	if !has_role {
+		return ErrPermissionDeniedNeedRoleMapUpload
+	}
+
+	// check when submission was updated
+	submission, err := svc.DB.Submissions().Get(ctx, params.SubmissionID)
+	if err != nil {
+		return err
+	}
+	if time.Now().Before(submission.UpdatedAt.Add(time.Second*10)) {
+		// the last time the submission was updated must be longer than 10 seconds ago
+		return ErrDelayReset
 	}

 	// transaction
 	smap := datastore.Optional()
-	smap.Add("status_id", model.StatusValidating)
-	submission, err := svc.DB.Submissions().IfStatusThenUpdateAndGet(ctx, params.SubmissionID, []model.Status{model.StatusSubmitted, model.StatusAccepted}, smap)
+	smap.Add("status_id", model.SubmissionStatusValidated)
+	return svc.DB.Submissions().IfStatusThenUpdate(ctx, params.SubmissionID, []model.SubmissionStatus{model.SubmissionStatusUploading}, smap)
+}
+
+// ActionSubmissionTriggerValidate invokes actionSubmissionTriggerValidate operation.
+//
+// Role Reviewer triggers validation and changes status from Submitted -> Validating.
+//
+// POST /submissions/{SubmissionID}/status/trigger-validate
+func (svc *Service) ActionSubmissionTriggerValidate(ctx context.Context, params api.ActionSubmissionTriggerValidateParams) error {
+	userInfo, ok := ctx.Value("UserInfo").(UserInfoHandle)
+	if !ok {
+		return ErrUserInfo
+	}
+
+	has_role, err := userInfo.HasRoleSubmissionReview()
+	if err != nil {
+		return err
+	}
+	// check if caller has required role
+	if !has_role {
+		return ErrPermissionDeniedNeedRoleMapReview
+	}
+
+	// read submission (this could be done with a transaction WHERE clause)
+	submission, err := svc.DB.Submissions().Get(ctx, params.SubmissionID)
+	if err != nil {
+		return err
+	}
+
+	has_role, err = userInfo.IsSubmitter(uint64(submission.Submitter))
+	if err != nil {
+		return err
+	}
+	// check if caller is NOT the submitter
+	if has_role {
+		return ErrAcceptOwnSubmission
+	}
+
+	// transaction
+	smap := datastore.Optional()
+	smap.Add("status_id", model.SubmissionStatusValidating)
+	submission, err = svc.DB.Submissions().IfStatusThenUpdateAndGet(ctx, params.SubmissionID, []model.SubmissionStatus{model.SubmissionStatusSubmitted}, smap)
 	if err != nil {
 		return err
 	}
@@ -362,7 +503,12 @@ func (svc *Service) ActionSubmissionTriggerValidate(ctx context.Context, params
 		SubmissionID:     submission.ID,
 		ModelID:          submission.AssetID,
 		ModelVersion:     submission.AssetVersion,
-		ValidatedModelID: 0, //TODO: reuse velidation models
+		ValidatedModelID: nil,
+	}
+
+	// sentinel values because we're not using rust
+	if submission.ValidatedAssetID != 0 {
+		validate_request.ValidatedModelID = &submission.ValidatedAssetID
 	}

 	j, err := json.Marshal(validate_request)
@@ -375,16 +521,156 @@ func (svc *Service) ActionSubmissionTriggerValidate(ctx context.Context, params
 	return nil
 }

-// ActionSubmissionValidate invokes actionSubmissionValidate operation.
+// ActionSubmissionRetryValidate invokes actionSubmissionRetryValidate operation.
 //
-// Role Validator changes status from Validating -> Validated.
+// Role Reviewer re-runs validation and changes status from Accepted -> Validating.
 //
-// POST /submissions/{SubmissionID}/status/validate
-func (svc *Service) ActionSubmissionValidate(ctx context.Context, params api.ActionSubmissionValidateParams) error {
-	println("[ActionSubmissionValidate] Implicit Validator permission granted!")
+// POST /submissions/{SubmissionID}/status/retry-validate
+func (svc *Service) ActionSubmissionRetryValidate(ctx context.Context, params api.ActionSubmissionRetryValidateParams) error {
+	userInfo, ok := ctx.Value("UserInfo").(UserInfoHandle)
+	if !ok {
+		return ErrUserInfo
+	}
+
+	has_role, err := userInfo.HasRoleSubmissionReview()
+	if err != nil {
+		return err
+	}
+	// check if caller has required role
+	if !has_role {
+		return ErrPermissionDeniedNeedRoleMapReview
+	}

 	// transaction
 	smap := datastore.Optional()
-	smap.Add("status_id", model.StatusValidated)
-	return svc.DB.Submissions().IfStatusThenUpdate(ctx, params.SubmissionID, []model.Status{model.StatusValidating}, smap)
+	smap.Add("status_id", model.SubmissionStatusValidating)
+	submission, err := svc.DB.Submissions().IfStatusThenUpdateAndGet(ctx, params.SubmissionID, []model.SubmissionStatus{model.SubmissionStatusAccepted}, smap)
+	if err != nil {
+		return err
+	}
+
+	validate_request := model.ValidateRequest{
+		SubmissionID:     submission.ID,
+		ModelID:          submission.AssetID,
+		ModelVersion:     submission.AssetVersion,
+		ValidatedModelID: nil,
+	}
+
+	// sentinel values because we're not using rust
+	if submission.ValidatedAssetID != 0 {
+		validate_request.ValidatedModelID = &submission.ValidatedAssetID
+	}
+
+	j, err := json.Marshal(validate_request)
+	if err != nil {
+		return err
+	}
+
+	svc.Nats.Publish("maptest.submissions.validate", []byte(j))
+
+	return nil
+}
+
+// ActionSubmissionAccepted implements actionSubmissionAccepted operation.
+//
+// Role SubmissionReview changes status from Validating -> Accepted.
+//
+// POST /submissions/{SubmissionID}/status/reset-validating
+func (svc *Service) ActionSubmissionAccepted(ctx context.Context, params api.ActionSubmissionAcceptedParams) error {
+	userInfo, ok := ctx.Value("UserInfo").(UserInfoHandle)
+	if !ok {
+		return ErrUserInfo
+	}
+
+	has_role, err := userInfo.HasRoleSubmissionReview()
+	if err != nil {
+		return err
+	}
+	// check if caller has required role
+	if !has_role {
+		return ErrPermissionDeniedNeedRoleMapReview
+	}
+
+	// check when submission was updated
+	submission, err := svc.DB.Submissions().Get(ctx, params.SubmissionID)
+	if err != nil {
+		return err
+	}
+	if time.Now().Before(submission.UpdatedAt.Add(time.Second*10)) {
+		// the last time the submission was updated must be longer than 10 seconds ago
+		return ErrDelayReset
+	}
+
+	// transaction
+	smap := datastore.Optional()
+	smap.Add("status_id", model.SubmissionStatusAccepted)
+	smap.Add("status_message", "Manually forced reset")
+	return svc.DB.Submissions().IfStatusThenUpdate(ctx, params.SubmissionID, []model.SubmissionStatus{model.SubmissionStatusValidating}, smap)
+}
+
+// ReleaseSubmissions invokes releaseSubmissions operation.
+//
+// Release a set of uploaded maps.
+//
+// POST /release-submissions
+func (svc *Service) ReleaseSubmissions(ctx context.Context, request []api.ReleaseInfo) error {
+	userInfo, ok := ctx.Value("UserInfo").(UserInfoHandle)
+	if !ok {
+		return ErrUserInfo
+	}
+
+	has_role, err := userInfo.HasRoleSubmissionRelease()
+	if err != nil {
+		return err
+	}
+	// check if caller has required role
+	if !has_role {
+		return ErrPermissionDeniedNeedRoleSubmissionRelease
+	}
+
+	idList := make([]int64, len(request))
+	for i, releaseInfo := range request {
+		idList[i] = releaseInfo.SubmissionID
+	}
+
+	// fetch submissions
+	submissions, err := svc.DB.Submissions().GetList(ctx, idList)
+	if err != nil {
+		return err
+	}
+
+	// check each submission to make sure it is ready to release
+	for _,submission := range submissions{
+		if submission.StatusID != model.SubmissionStatusUploaded{
+			return ErrReleaseInvalidStatus
+		}
+		if submission.UploadedAssetID == 0{
+			return ErrReleaseNoUploadedAssetID
+		}
+	}
+
+	for i,submission := range submissions{
+		date := request[i].Date.Unix()
+		// create each map with go-grpc
+		_, err := svc.Client.Create(ctx, &maps.MapRequest{
+			ID:          submission.UploadedAssetID,
+			DisplayName: &submission.DisplayName,
+			Creator:     &submission.Creator,
+			GameID:      &submission.GameID,
+			Date:        &date,
+		})
+		if err != nil {
+			return err
+		}
+
+		// update each status to Released
+		smap := datastore.Optional()
+		smap.Add("status_id", model.SubmissionStatusReleased)
+		err = svc.DB.Submissions().IfStatusThenUpdate(ctx, submission.ID, []model.SubmissionStatus{model.SubmissionStatusUploaded}, smap)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
 }
--- a/pkg/service_internal/script_policy.go
+++ b/pkg/service_internal/script_policy.go
@@ -0,0 +1,80 @@
+package service_internal
+
+import (
+	"context"
+
+	"git.itzana.me/strafesnet/maps-service/pkg/datastore"
+	"git.itzana.me/strafesnet/maps-service/pkg/internal"
+	"git.itzana.me/strafesnet/maps-service/pkg/model"
+)
+
+// CreateScriptPolicy implements createScriptPolicy operation.
+//
+// Create a new script policy.
+//
+// POST /script-policy
+func (svc *Service) CreateScriptPolicy(ctx context.Context, req *api.ScriptPolicyCreate) (*api.ID, error) {
+	from_script, err := svc.DB.Scripts().Get(ctx, req.FromScriptID)
+	if err != nil {
+		return nil, err
+	}
+
+	// the existence of ToScriptID does not need to be validated because it's checked by a foreign key constraint.
+
+	script, err := svc.DB.ScriptPolicy().Create(ctx, model.ScriptPolicy{
+		ID:             0,
+		FromScriptHash: from_script.Hash,
+		ToScriptID:     req.ToScriptID,
+		Policy:         model.Policy(req.Policy),
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	return &api.ID{
+		ID: script.ID,
+	}, nil
+}
+
+// ListScriptPolicy implements listScriptPolicy operation.
+//
+// Get list of script policies.
+//
+// GET /script-policy
+func (svc *Service) ListScriptPolicy(ctx context.Context, params api.ListScriptPolicyParams) ([]api.ScriptPolicy, error) {
+	filter := datastore.Optional()
+
+	if params.FromScriptHash.IsSet(){
+		hash, err := model.HashParse(params.FromScriptHash.Value)
+		if err != nil {
+			return nil, err
+		}
+		filter.AddNotNil("from_script_hash", int64(hash)) // No type safety!
+	}
+	if params.ToScriptID.IsSet(){
+		filter.AddNotNil("to_script_id", params.ToScriptID.Value)
+	}
+	if params.Policy.IsSet(){
+		filter.AddNotNil("policy", params.Policy.Value)
+	}
+
+	items, err := svc.DB.ScriptPolicy().List(ctx, filter, model.Page{
+		Number: params.Page,
+		Size:   params.Limit,
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	var resp []api.ScriptPolicy
+	for _, item := range items {
+		resp = append(resp, api.ScriptPolicy{
+			ID:             item.ID,
+			FromScriptHash: model.HashFormat(uint64(item.FromScriptHash)),
+			ToScriptID:     item.ToScriptID,
+			Policy:         int32(item.Policy),
+		})
+	}
+
+	return resp, nil
+}
--- a/pkg/service_internal/scripts.go
+++ b/pkg/service_internal/scripts.go
@@ -0,0 +1,100 @@
+package service_internal
+
+import (
+	"context"
+
+	"git.itzana.me/strafesnet/maps-service/pkg/datastore"
+	"git.itzana.me/strafesnet/maps-service/pkg/internal"
+	"git.itzana.me/strafesnet/maps-service/pkg/model"
+)
+
+// CreateScript implements createScript operation.
+//
+// Create a new script.
+//
+// POST /scripts
+func (svc *Service) CreateScript(ctx context.Context, req *api.ScriptCreate) (*api.ID, error) {
+	script, err := svc.DB.Scripts().Create(ctx, model.Script{
+		ID:           0,
+		Name:         req.Name,
+		Hash:         int64(model.HashSource(req.Source)),
+		Source:       req.Source,
+		ResourceType: model.ResourceType(req.ResourceType),
+		ResourceID:   req.ResourceID.Or(0),
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	return &api.ID{
+		ID: script.ID,
+	}, nil
+}
+
+// ListScripts implements listScripts operation.
+//
+// Get list of scripts.
+//
+// GET /scripts
+func (svc *Service) ListScripts(ctx context.Context, params api.ListScriptsParams) ([]api.Script, error) {
+	filter := datastore.Optional()
+
+	if params.Hash.IsSet(){
+		hash, err := model.HashParse(params.Hash.Value)
+		if err != nil {
+			return nil, err
+		}
+		filter.AddNotNil("hash", int64(hash)) // No type safety!
+	}
+	if params.Name.IsSet(){
+		filter.AddNotNil("name", params.Name.Value)
+	}
+	if params.Source.IsSet(){
+		filter.AddNotNil("source", params.Source.Value)
+	}
+	if params.SubmissionID.IsSet(){
+		filter.AddNotNil("submission_id", params.SubmissionID.Value)
+	}
+
+	items, err := svc.DB.Scripts().List(ctx, filter, model.Page{
+		Number: params.Page,
+		Size:   params.Limit,
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	var resp []api.Script
+	for _, item := range items {
+		resp = append(resp, api.Script{
+			ID:           item.ID,
+			Hash:         model.HashFormat(uint64(item.Hash)),
+			Source:       item.Source,
+			ResourceType: int32(item.ResourceType),
+			ResourceID:   item.ResourceID,
+		})
+	}
+
+	return resp, nil
+}
+
+// GetScript implements getScript operation.
+//
+// Get the specified script by ID.
+//
+// GET /scripts/{ScriptID}
+func (svc *Service) GetScript(ctx context.Context, params api.GetScriptParams) (*api.Script, error) {
+	script, err := svc.DB.Scripts().Get(ctx, params.ScriptID)
+	if err != nil {
+		return nil, err
+	}
+
+	return &api.Script{
+		ID:           script.ID,
+		Name:         script.Name,
+		Hash:         model.HashFormat(uint64(script.Hash)),
+		Source:       script.Source,
+		ResourceType: int32(script.ResourceType),
+		ResourceID:   script.ResourceID,
+	}, nil
+}
--- a/pkg/service_internal/service_internal.go
+++ b/pkg/service_internal/service_internal.go
@@ -0,0 +1,30 @@
+package service_internal
+
+import (
+	"context"
+	"errors"
+
+	"git.itzana.me/strafesnet/maps-service/pkg/datastore"
+	internal "git.itzana.me/strafesnet/maps-service/pkg/internal"
+	"github.com/nats-io/nats.go"
+)
+
+type Service struct {
+	DB   datastore.Datastore
+	Nats nats.JetStreamContext
+}
+
+// yay duplicate code
+func (svc *Service) NewError(ctx context.Context, err error) *internal.ErrorStatusCode {
+	status := 500
+	if errors.Is(err, datastore.ErrNotExist) {
+		status = 404
+	}
+	return &internal.ErrorStatusCode{
+		StatusCode: status,
+		Response: internal.Error{
+			Code:    int64(status),
+			Message: err.Error(),
+		},
+	}
+}
--- a/pkg/service_internal/submissions.go
+++ b/pkg/service_internal/submissions.go
@@ -0,0 +1,62 @@
+package service_internal
+
+import (
+	"context"
+
+	internal "git.itzana.me/strafesnet/maps-service/pkg/internal"
+	"git.itzana.me/strafesnet/maps-service/pkg/datastore"
+	"git.itzana.me/strafesnet/maps-service/pkg/model"
+)
+
+// UpdateSubmissionValidatedModel implements patchSubmissionModel operation.
+//
+// Update model following role restrictions.
+//
+// POST /submissions/{SubmissionID}/validated-model
+func (svc *Service) UpdateSubmissionValidatedModel(ctx context.Context, params internal.UpdateSubmissionValidatedModelParams) error {
+	// check if Status is ChangesRequested|Submitted|UnderConstruction
+	pmap := datastore.Optional()
+	pmap.AddNotNil("validated_asset_id", params.ValidatedModelID)
+	pmap.AddNotNil("validated_asset_version", params.ValidatedModelVersion)
+	// DO NOT reset completed when validated model is updated
+	// pmap.Add("completed", false)
+	return svc.DB.Submissions().IfStatusThenUpdate(ctx, params.SubmissionID, []model.SubmissionStatus{model.SubmissionStatusValidating}, pmap)
+}
+
+// ActionSubmissionValidate invokes actionSubmissionValidate operation.
+//
+// Role Validator changes status from Validating -> Validated.
+//
+// POST /submissions/{SubmissionID}/status/validator-validated
+func (svc *Service) ActionSubmissionValidated(ctx context.Context, params internal.ActionSubmissionValidatedParams) error {
+	// transaction
+	smap := datastore.Optional()
+	smap.Add("status_id", model.SubmissionStatusValidated)
+	return svc.DB.Submissions().IfStatusThenUpdate(ctx, params.SubmissionID, []model.SubmissionStatus{model.SubmissionStatusValidating}, smap)
+}
+
+// ActionSubmissionAccepted implements actionSubmissionAccepted operation.
+//
+// (Internal endpoint) Role Validator changes status from Validating -> Accepted.
+//
+// POST /submissions/{SubmissionID}/status/validator-failed
+func (svc *Service) ActionSubmissionAccepted(ctx context.Context, params internal.ActionSubmissionAcceptedParams) error {
+	// transaction
+	smap := datastore.Optional()
+	smap.Add("status_id", model.SubmissionStatusAccepted)
+	smap.Add("status_message", params.StatusMessage)
+	return svc.DB.Submissions().IfStatusThenUpdate(ctx, params.SubmissionID, []model.SubmissionStatus{model.SubmissionStatusValidating}, smap)
+}
+
+// ActionSubmissionUploaded implements actionSubmissionUploaded operation.
+//
+// (Internal endpoint) Role Validator changes status from Uploading -> Uploaded.
+//
+// POST /submissions/{SubmissionID}/status/validator-uploaded
+func (svc *Service) ActionSubmissionUploaded(ctx context.Context, params internal.ActionSubmissionUploadedParams) error {
+	// transaction
+	smap := datastore.Optional()
+	smap.Add("status_id", model.SubmissionStatusUploaded)
+	smap.Add("uploaded_asset_id", params.UploadedAssetID)
+	return svc.DB.Submissions().IfStatusThenUpdate(ctx, params.SubmissionID, []model.SubmissionStatus{model.SubmissionStatusUploading}, smap)
+}
--- a/releaser/.cargo/config.toml
+++ b/releaser/.cargo/config.toml
@@ -1,2 +0,0 @@
-[registries.strafesnet]
-index = "sparse+https://git.itzana.me/api/packages/strafesnet/cargo/"
--- a/releaser/Cargo.lock
+++ b/releaser/Cargo.lock
--- a/releaser/Cargo.toml
+++ b/releaser/Cargo.toml
@@ -1,11 +0,0 @@
-[package]
-name = "releaser"
-version = "0.1.0"
-edition = "2021"
-
-[dependencies]
-submissions-api = { version = "0.1.0", registry = "strafesnet" }
-rbx_asset = { version = "0.2.5", registry = "strafesnet" }
-rust-grpc = { version = "1.0.3", registry = "strafesnet" }
-tokio = { version = "1.41.1", features = ["macros", "rt-multi-thread", "signal"] }
-tonic = "0.12.3"
--- a/releaser/Containerfile
+++ b/releaser/Containerfile
@@ -1,24 +0,0 @@
-# Using the `rust-musl-builder` as base image, instead of
-# the official Rust toolchain
-FROM docker.io/clux/muslrust:stable AS chef
-USER root
-RUN cargo install cargo-chef
-WORKDIR /app
-
-FROM chef AS planner
-COPY . .
-RUN cargo chef prepare --recipe-path recipe.json
-
-FROM chef AS builder
-COPY --from=planner /app/recipe.json recipe.json
-
-# Notice that we are specifying the --target flag!
-RUN cargo chef cook --release --target x86_64-unknown-linux-musl --recipe-path recipe.json
-COPY . .
-RUN cargo build --release --target x86_64-unknown-linux-musl --bin releaser
-
-FROM docker.io/alpine:latest AS runtime
-RUN addgroup -S myuser && adduser -S myuser -G myuser
-COPY --from=builder /app/target/x86_64-unknown-linux-musl/release/releaser /usr/local/bin/
-USER myuser
-ENTRYPOINT ["/usr/local/bin/releaser"]
--- a/releaser/src/main.rs
+++ b/releaser/src/main.rs
@@ -1,32 +0,0 @@
-#[allow(dead_code)]
-#[derive(Debug)]
-pub enum StartupError{
-	API(submissions_api::ReqwestError),
-	GRPCConnect(tonic::transport::Error),
-}
-impl std::fmt::Display for StartupError{
-	fn fmt(&self,f:&mut std::fmt::Formatter<'_>)->std::fmt::Result{
-		write!(f,"{self:?}")
-	}
-}
-impl std::error::Error for StartupError{}
-
-// annoying mile-long type
-pub type MapsServiceClient=rust_grpc::maps::maps_service_client::MapsServiceClient<tonic::transport::channel::Channel>;
-
-#[tokio::main]
-async fn main()->Result<(),StartupError>{
-	// maps-service api
-	let api_host=std::env::var("API_HOST").expect("API_HOST env required");
-	let api=submissions_api::Context::new(api_host).map_err(StartupError::API)?;
-
-	// data-service grpc for creating map entries
-	let data_host=std::env::var("DATA_HOST").expect("DATA_HOST env required");
-	let maps_grpc=crate::MapsServiceClient::connect(data_host).await.map_err(StartupError::GRPCConnect)?;
-
-	// request maps pending release
-	// randomize list
-	// release maps
-
-	Ok(())
-}
--- a/submissions-api-rs/.gitignore
+++ b/submissions-api-rs/.gitignore
@@ -1 +0,0 @@
-/target
--- a/submissions-api-rs/Cargo.lock
+++ b/submissions-api-rs/Cargo.lock
--- a/submissions-api-rs/src/lib.rs
+++ b/submissions-api-rs/src/lib.rs
@@ -1,131 +0,0 @@
-#[derive(Debug)]
-pub enum Error{
-	ParseError(url::ParseError),
-	Reqwest(reqwest::Error),
-}
-impl std::fmt::Display for Error{
-	fn fmt(&self,f:&mut std::fmt::Formatter<'_>)->std::fmt::Result{
-		write!(f,"{self:?}")
-	}
-}
-impl std::error::Error for Error{}
-
-#[derive(serde::Deserialize)]
-pub struct ScriptID(i64);
-
-#[allow(nonstandard_style)]
-pub struct GetScriptRequest{
-	pub ScriptID:ScriptID,
-}
-#[allow(nonstandard_style)]
-#[derive(serde::Deserialize)]
-pub struct ScriptResponse{
-	pub ID:i64,
-	pub Hash:String,
-	pub Source:String,
-	pub SubmissionID:i64,
-}
-
-#[derive(serde::Deserialize)]
-#[repr(i32)]
-pub enum Policy{
-	None=0, // not yet reviewed
-	Allowed=1,
-	Blocked=2,
-	Delete=3,
-	Replace=4,
-}
-
-pub struct ScriptPolicyHashRequest{
-	pub hash:String,
-}
-#[allow(nonstandard_style)]
-#[derive(serde::Deserialize)]
-pub struct ScriptPolicyResponse{
-	pub ID:i64,
-	pub FromScriptHash:String,
-	pub ToScriptID:ScriptID,
-	pub Policy:Policy
-}
-
-#[allow(nonstandard_style)]
-pub struct UpdateSubmissionModelRequest{
-	pub ID:i64,
-	pub ModelID:u64,
-	pub ModelVersion:u64,
-}
-
-pub struct SubmissionID(pub i64);
-
-#[derive(Clone)]
-pub struct Context{
-	base_url:String,
-	client:reqwest::Client,
-}
-
-pub type ReqwestError=reqwest::Error;
-
-// there are lots of action endpoints and they all follow the same pattern
-macro_rules! action{
-	($fname:ident,$action:expr)=>{
-		pub async fn $fname(&self,config:SubmissionID)->Result<(),Error>{
-			let url_raw=format!(concat!("{}/submissions/{}/status/",$action),self.base_url,config.0);
-			let url=reqwest::Url::parse(url_raw.as_str()).map_err(Error::ParseError)?;
-
-			self.post(url).await.map_err(Error::Reqwest)?
-			.error_for_status().map_err(Error::Reqwest)?;
-
-			Ok(())
-		}
-	};
-}
-impl Context{
-	pub fn new(mut base_url:String)->reqwest::Result<Self>{
-		base_url+="/v1";
-		Ok(Self{
-			base_url,
-			client:reqwest::Client::new(),
-		})
-	}
-	async fn get(&self,url:impl reqwest::IntoUrl)->Result<reqwest::Response,reqwest::Error>{
-		self.client.get(url)
-		.send().await
-	}
-	async fn post(&self,url:impl reqwest::IntoUrl)->Result<reqwest::Response,reqwest::Error>{
-		self.client.post(url)
-		.send().await
-	}
-	pub async fn get_script(&self,config:GetScriptRequest)->Result<ScriptResponse,Error>{
-		let url_raw=format!("{}/scripts/{}",self.base_url,config.ScriptID.0);
-		let url=reqwest::Url::parse(url_raw.as_str()).map_err(Error::ParseError)?;
-
-		self.get(url).await.map_err(Error::Reqwest)?
-		.error_for_status().map_err(Error::Reqwest)?
-		.json().await.map_err(Error::Reqwest)
-	}
-	pub async fn get_script_policy_from_hash(&self,config:ScriptPolicyHashRequest)->Result<ScriptPolicyResponse,Error>{
-		let url_raw=format!("{}/script-policy/hash/{}",self.base_url,config.hash);
-		let url=reqwest::Url::parse(url_raw.as_str()).map_err(Error::ParseError)?;
-
-		self.get(url).await.map_err(Error::Reqwest)?
-		.error_for_status().map_err(Error::Reqwest)?
-		.json().await.map_err(Error::Reqwest)
-	}
-	pub async fn update_submission_model(&self,config:UpdateSubmissionModelRequest)->Result<(),Error>{
-		let url_raw=format!("{}/submissions/{}/model",self.base_url,config.ID);
-		let mut url=reqwest::Url::parse(url_raw.as_str()).map_err(Error::ParseError)?;
-
-		{
-			url.query_pairs_mut()
-				.append_pair("ModelID",config.ModelID.to_string().as_str())
-				.append_pair("ModelVersion",config.ModelVersion.to_string().as_str());
-		}
-
-		self.post(url).await.map_err(Error::Reqwest)?
-		.error_for_status().map_err(Error::Reqwest)?;
-
-		Ok(())
-	}
-	action!(action_submission_validate,"validator-validated");
-	action!(action_submission_publish,"validator-published");
-}
--- a/validation/.dockerignore
+++ b/validation/.dockerignore
--- a/validation/.gitignore
+++ b/validation/.gitignore
@@ -1 +0,0 @@
-/target
--- a/validation/Cargo.toml
+++ b/validation/Cargo.toml
@@ -1,11 +1,11 @@
 [package]
 name = "maps-validation"
-version = "0.1.0"
+version = "0.1.1"
 edition = "2021"

 [dependencies]
-submissions-api = { version = "0.1.0", registry = "strafesnet" }
-async-nats = "0.38.0"
+submissions-api = { path = "api", features = ["internal"], default-features = false, registry = "strafesnet" }
+async-nats = "0.40.0"
 futures = "0.3.31"
 rbx_asset = { version = "0.2.5", registry = "strafesnet" }
 rbx_binary = { version = "0.7.4", registry = "strafesnet"}
--- a/validation/Containerfile
+++ b/validation/Containerfile
@@ -11,7 +11,7 @@ RUN cargo chef prepare --recipe-path recipe.json

 FROM chef AS builder
 COPY --from=planner /app/recipe.json recipe.json
-
+COPY api ./api
 # Notice that we are specifying the --target flag!
 RUN cargo chef cook --release --target x86_64-unknown-linux-musl --recipe-path recipe.json
 COPY . .
--- a/submissions-api-rs/Cargo.toml
+++ b/submissions-api-rs/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "submissions-api"
-version = "0.1.0"
+version = "0.6.1"
 edition = "2021"
 publish = ["strafesnet"]
 repository = "https://git.itzana.me/StrafesNET/maps-service"
@@ -14,4 +14,10 @@ authors = ["Rhys Lloyd <krakow20@gmail.com>"]
 reqwest = { version = "0", features = ["json"] }
 serde = { version = "1", features = ["derive"] }
 serde_json = "1"
+serde_repr = "0.1.19"
 url = "2"
+
+[features]
+default = ["external"]
+internal = []
+external = []
--- a/submissions-api-rs/LICENSE-APACHE
+++ b/submissions-api-rs/LICENSE-APACHE
--- a/submissions-api-rs/LICENSE-MIT
+++ b/submissions-api-rs/LICENSE-MIT
--- a/validation/api/src/context.rs
+++ b/validation/api/src/context.rs
@@ -0,0 +1,47 @@
+pub struct Cookie(reqwest::header::HeaderValue);
+
+impl Cookie{
+	/// cookie is prepended with "session_id=" by this function
+	pub fn new(cookie:&str)->Result<Self,reqwest::header::InvalidHeaderValue>{
+		Ok(Self(reqwest::header::HeaderValue::from_str(&format!("session_id={}",cookie))?))
+	}
+}
+
+#[derive(Clone)]
+pub struct Context{
+	pub base_url:String,
+	client:reqwest::Client,
+}
+
+impl Context{
+	pub fn new(base_url:String,cookie:Option<Cookie>)->reqwest::Result<Self>{
+		Ok(Self{
+			base_url,
+			client:{
+				let mut builder=reqwest::ClientBuilder::new();
+				if let Some(mut cookie)=cookie{
+					cookie.0.set_sensitive(true);
+					let mut headers=reqwest::header::HeaderMap::new();
+					headers.insert("Cookie",cookie.0);
+					builder=builder.default_headers(headers);
+				}
+				builder.build()?
+			},
+		})
+	}
+	pub async fn get(&self,url:impl reqwest::IntoUrl)->Result<reqwest::Response,reqwest::Error>{
+		self.client.get(url)
+		.send().await
+	}
+	#[cfg(feature="internal")]
+	pub async fn post_empty_body(&self,url:impl reqwest::IntoUrl)->Result<reqwest::Response,reqwest::Error>{
+		self.client.post(url)
+		.send().await
+	}
+	pub async fn post(&self,url:impl reqwest::IntoUrl,body:impl Into<reqwest::Body>)->Result<reqwest::Response,reqwest::Error>{
+		self.client.post(url)
+    	.header("Content-Type","application/json")
+    	.body(body)
+		.send().await
+	}
+}
--- a/validation/api/src/external.rs
+++ b/validation/api/src/external.rs
@@ -0,0 +1,131 @@
+use crate::types::*;
+
+#[derive(Clone)]
+pub struct Context(crate::context::Context);
+
+impl Context{
+	pub fn new(base_url:String,cookie:crate::context::Cookie)->reqwest::Result<Self>{
+		Ok(Self(crate::context::Context::new(base_url,Some(cookie))?))
+	}
+	pub async fn get_script(&self,config:GetScriptRequest)->Result<ScriptResponse,Error>{
+		let url_raw=format!("{}/scripts/{}",self.0.base_url,config.ScriptID.0);
+		let url=reqwest::Url::parse(url_raw.as_str()).map_err(Error::Parse)?;
+
+		response_ok(
+			self.0.get(url).await.map_err(Error::Reqwest)?
+		).await.map_err(Error::Response)?
+		.json().await.map_err(Error::Reqwest)
+	}
+	pub async fn get_scripts<'a>(&self,config:GetScriptsRequest<'a>)->Result<Vec<ScriptResponse>,Error>{
+		let url_raw=format!("{}/scripts",self.0.base_url);
+		let mut url=reqwest::Url::parse(url_raw.as_str()).map_err(Error::Parse)?;
+
+		{
+			let mut query_pairs=url.query_pairs_mut();
+			query_pairs.append_pair("Page",config.Page.to_string().as_str());
+			query_pairs.append_pair("Limit",config.Limit.to_string().as_str());
+			if let Some(name)=config.Name{
+				query_pairs.append_pair("Name",name);
+			}
+			if let Some(hash)=config.Hash{
+				query_pairs.append_pair("Hash",hash);
+			}
+			if let Some(source)=config.Source{
+				query_pairs.append_pair("Source",source);
+			}
+			if let Some(submission_id)=config.SubmissionID{
+				query_pairs.append_pair("SubmissionID",submission_id.to_string().as_str());
+			}
+		}
+
+		response_ok(
+			self.0.get(url).await.map_err(Error::Reqwest)?
+		).await.map_err(Error::Response)?
+		.json().await.map_err(Error::Reqwest)
+	}
+	pub async fn get_script_from_hash<'a>(&self,config:HashRequest<'a>)->Result<Option<ScriptResponse>,SingleItemError>{
+		let scripts=self.get_scripts(GetScriptsRequest{
+			Page:1,
+			Limit:2,
+			Hash:Some(config.hash),
+			Name:None,
+			Source:None,
+			SubmissionID:None,
+		}).await.map_err(SingleItemError::Other)?;
+		if 1<scripts.len(){
+			return Err(SingleItemError::DuplicateItems);
+		}
+		Ok(scripts.into_iter().next())
+	}
+	pub async fn create_script<'a>(&self,config:CreateScriptRequest<'a>)->Result<ScriptIDResponse,Error>{
+		let url_raw=format!("{}/scripts",self.0.base_url);
+		let url=reqwest::Url::parse(url_raw.as_str()).map_err(Error::Parse)?;
+
+		let body=serde_json::to_string(&config).map_err(Error::JSON)?;
+
+		response_ok(
+			self.0.post(url,body).await.map_err(Error::Reqwest)?
+		).await.map_err(Error::Response)?
+		.json().await.map_err(Error::Reqwest)
+	}
+	pub async fn get_script_policies<'a>(&self,config:GetScriptPoliciesRequest<'a>)->Result<Vec<ScriptPolicyResponse>,Error>{
+		let url_raw=format!("{}/script-policy",self.0.base_url);
+		let mut url=reqwest::Url::parse(url_raw.as_str()).map_err(Error::Parse)?;
+
+		{
+			let mut query_pairs=url.query_pairs_mut();
+			query_pairs.append_pair("Page",config.Page.to_string().as_str());
+			query_pairs.append_pair("Limit",config.Limit.to_string().as_str());
+			if let Some(hash)=config.FromScriptHash{
+				query_pairs.append_pair("FromScriptHash",hash);
+			}
+			if let Some(script_id)=config.ToScriptID{
+				query_pairs.append_pair("ToScriptID",script_id.0.to_string().as_str());
+			}
+			if let Some(policy)=config.Policy{
+				query_pairs.append_pair("Policy",(policy as i32).to_string().as_str());
+			}
+		}
+
+		response_ok(
+			self.0.get(url).await.map_err(Error::Reqwest)?
+		).await.map_err(Error::Response)?
+		.json().await.map_err(Error::Reqwest)
+	}
+	pub async fn get_script_policy_from_hash<'a>(&self,config:HashRequest<'a>)->Result<Option<ScriptPolicyResponse>,SingleItemError>{
+		let policies=self.get_script_policies(GetScriptPoliciesRequest{
+			Page:1,
+			Limit:2,
+			FromScriptHash:Some(config.hash),
+			ToScriptID:None,
+			Policy:None,
+		}).await.map_err(SingleItemError::Other)?;
+		if 1<policies.len(){
+			return Err(SingleItemError::DuplicateItems);
+		}
+		Ok(policies.into_iter().next())
+	}
+	pub async fn create_script_policy(&self,config:CreateScriptPolicyRequest)->Result<ScriptPolicyIDResponse,Error>{
+		let url_raw=format!("{}/script-policy",self.0.base_url);
+		let url=reqwest::Url::parse(url_raw.as_str()).map_err(Error::Parse)?;
+
+		let body=serde_json::to_string(&config).map_err(Error::JSON)?;
+
+		response_ok(
+			self.0.post(url,body).await.map_err(Error::Reqwest)?
+		).await.map_err(Error::Response)?
+		.json().await.map_err(Error::Reqwest)
+	}
+	pub async fn update_script_policy(&self,config:UpdateScriptPolicyRequest)->Result<(),Error>{
+		let url_raw=format!("{}/script-policy/{}",self.0.base_url,config.ID.0);
+		let url=reqwest::Url::parse(url_raw.as_str()).map_err(Error::Parse)?;
+
+		let body=serde_json::to_string(&config).map_err(Error::JSON)?;
+
+		response_ok(
+			self.0.post(url,body).await.map_err(Error::Reqwest)?
+		).await.map_err(Error::Response)?;
+
+		Ok(())
+	}
+}
--- a/validation/api/src/internal.rs
+++ b/validation/api/src/internal.rs
@@ -0,0 +1,180 @@
+use crate::types::*;
+
+#[derive(Clone)]
+pub struct Context(crate::context::Context);
+
+// there are lots of action endpoints and they all follow the same pattern
+macro_rules! action{
+	($fname:ident,$action:expr)=>{
+		pub async fn $fname(&self,config:SubmissionID)->Result<(),Error>{
+			let url_raw=format!(concat!("{}/submissions/{}/status/",$action),self.0.base_url,config.0);
+			let url=reqwest::Url::parse(url_raw.as_str()).map_err(Error::Parse)?;
+
+			response_ok(
+				self.0.post_empty_body(url).await.map_err(Error::Reqwest)?
+			).await.map_err(Error::Response)?;
+
+			Ok(())
+		}
+	};
+}
+impl Context{
+	pub fn new(base_url:String)->reqwest::Result<Self>{
+		Ok(Self(crate::context::Context::new(base_url,None)?))
+	}
+	pub async fn get_script(&self,config:GetScriptRequest)->Result<ScriptResponse,Error>{
+		let url_raw=format!("{}/scripts/{}",self.0.base_url,config.ScriptID.0);
+		let url=reqwest::Url::parse(url_raw.as_str()).map_err(Error::Parse)?;
+
+		response_ok(
+			self.0.get(url).await.map_err(Error::Reqwest)?
+		).await.map_err(Error::Response)?
+		.json().await.map_err(Error::Reqwest)
+	}
+	pub async fn get_scripts<'a>(&self,config:GetScriptsRequest<'a>)->Result<Vec<ScriptResponse>,Error>{
+		let url_raw=format!("{}/scripts",self.0.base_url);
+		let mut url=reqwest::Url::parse(url_raw.as_str()).map_err(Error::Parse)?;
+
+		{
+			let mut query_pairs=url.query_pairs_mut();
+			query_pairs.append_pair("Page",config.Page.to_string().as_str());
+			query_pairs.append_pair("Limit",config.Limit.to_string().as_str());
+			if let Some(name)=config.Name{
+				query_pairs.append_pair("Name",name);
+			}
+			if let Some(hash)=config.Hash{
+				query_pairs.append_pair("Hash",hash);
+			}
+			if let Some(source)=config.Source{
+				query_pairs.append_pair("Source",source);
+			}
+			if let Some(submission_id)=config.SubmissionID{
+				query_pairs.append_pair("SubmissionID",submission_id.to_string().as_str());
+			}
+		}
+
+		response_ok(
+			self.0.get(url).await.map_err(Error::Reqwest)?
+		).await.map_err(Error::Response)?
+		.json().await.map_err(Error::Reqwest)
+	}
+	pub async fn get_script_from_hash<'a>(&self,config:HashRequest<'a>)->Result<Option<ScriptResponse>,SingleItemError>{
+		let scripts=self.get_scripts(GetScriptsRequest{
+			Page:1,
+			Limit:2,
+			Hash:Some(config.hash),
+			Name:None,
+			Source:None,
+			SubmissionID:None,
+		}).await.map_err(SingleItemError::Other)?;
+		if 1<scripts.len(){
+			return Err(SingleItemError::DuplicateItems);
+		}
+		Ok(scripts.into_iter().next())
+	}
+	pub async fn create_script<'a>(&self,config:CreateScriptRequest<'a>)->Result<ScriptIDResponse,Error>{
+		let url_raw=format!("{}/scripts",self.0.base_url);
+		let url=reqwest::Url::parse(url_raw.as_str()).map_err(Error::Parse)?;
+
+		let body=serde_json::to_string(&config).map_err(Error::JSON)?;
+
+		response_ok(
+			self.0.post(url,body).await.map_err(Error::Reqwest)?
+		).await.map_err(Error::Response)?
+		.json().await.map_err(Error::Reqwest)
+	}
+	pub async fn get_script_policies<'a>(&self,config:GetScriptPoliciesRequest<'a>)->Result<Vec<ScriptPolicyResponse>,Error>{
+		let url_raw=format!("{}/script-policy",self.0.base_url);
+		let mut url=reqwest::Url::parse(url_raw.as_str()).map_err(Error::Parse)?;
+
+		{
+			let mut query_pairs=url.query_pairs_mut();
+			query_pairs.append_pair("Page",config.Page.to_string().as_str());
+			query_pairs.append_pair("Limit",config.Limit.to_string().as_str());
+			if let Some(hash)=config.FromScriptHash{
+				query_pairs.append_pair("FromScriptHash",hash);
+			}
+			if let Some(script_id)=config.ToScriptID{
+				query_pairs.append_pair("ToScriptID",script_id.0.to_string().as_str());
+			}
+			if let Some(policy)=config.Policy{
+				query_pairs.append_pair("Policy",(policy as i32).to_string().as_str());
+			}
+		}
+
+		response_ok(
+			self.0.get(url).await.map_err(Error::Reqwest)?
+		).await.map_err(Error::Response)?
+		.json().await.map_err(Error::Reqwest)
+	}
+	pub async fn get_script_policy_from_hash<'a>(&self,config:HashRequest<'a>)->Result<Option<ScriptPolicyResponse>,SingleItemError>{
+		let policies=self.get_script_policies(GetScriptPoliciesRequest{
+			Page:1,
+			Limit:2,
+			FromScriptHash:Some(config.hash),
+			ToScriptID:None,
+			Policy:None,
+		}).await.map_err(SingleItemError::Other)?;
+		if 1<policies.len(){
+			return Err(SingleItemError::DuplicateItems);
+		}
+		Ok(policies.into_iter().next())
+	}
+	pub async fn create_script_policy(&self,config:CreateScriptPolicyRequest)->Result<ScriptPolicyIDResponse,Error>{
+		let url_raw=format!("{}/script-policy",self.0.base_url);
+		let url=reqwest::Url::parse(url_raw.as_str()).map_err(Error::Parse)?;
+
+		let body=serde_json::to_string(&config).map_err(Error::JSON)?;
+
+		response_ok(
+			self.0.post(url,body).await.map_err(Error::Reqwest)?
+		).await.map_err(Error::Response)?
+		.json().await.map_err(Error::Reqwest)
+	}
+	pub async fn update_submission_validated_model(&self,config:UpdateSubmissionModelRequest)->Result<(),Error>{
+		let url_raw=format!("{}/submissions/{}/validated-model",self.0.base_url,config.SubmissionID);
+		let mut url=reqwest::Url::parse(url_raw.as_str()).map_err(Error::Parse)?;
+
+		{
+			url.query_pairs_mut()
+				.append_pair("ValidatedModelID",config.ModelID.to_string().as_str())
+				.append_pair("ValidatedModelVersion",config.ModelVersion.to_string().as_str());
+		}
+
+		response_ok(
+			self.0.post_empty_body(url).await.map_err(Error::Reqwest)?
+		).await.map_err(Error::Response)?;
+
+		Ok(())
+	}
+	pub async fn action_submission_uploaded(&self,config:ActionSubmissionUploadedRequest)->Result<(),Error>{
+		let url_raw=format!("{}/submissions/{}/status/validator-uploaded",self.0.base_url,config.SubmissionID);
+		let mut url=reqwest::Url::parse(url_raw.as_str()).map_err(Error::Parse)?;
+
+		{
+			url.query_pairs_mut()
+				.append_pair("UploadedAssetID",config.UploadedAssetID.to_string().as_str());
+		}
+		response_ok(
+			self.0.post_empty_body(url).await.map_err(Error::Reqwest)?
+		).await.map_err(Error::Response)?;
+
+		Ok(())
+	}
+	pub async fn action_submission_accepted(&self,config:ActionSubmissionAcceptedRequest)->Result<(),Error>{
+		let url_raw=format!("{}/submissions/{}/status/validator-failed",self.0.base_url,config.SubmissionID);
+		let mut url=reqwest::Url::parse(url_raw.as_str()).map_err(Error::Parse)?;
+
+		{
+			url.query_pairs_mut()
+				.append_pair("StatusMessage",config.StatusMessage.as_str());
+		}
+
+		response_ok(
+			self.0.post_empty_body(url).await.map_err(Error::Reqwest)?
+		).await.map_err(Error::Response)?;
+
+		Ok(())
+	}
+	action!(action_submission_validated,"validator-validated");
+}
--- a/validation/api/src/lib.rs
+++ b/validation/api/src/lib.rs
@@ -0,0 +1,15 @@
+mod context;
+pub use context::Cookie;
+
+pub mod types;
+
+#[cfg(feature="internal")]
+pub mod internal;
+
+#[cfg(feature="external")]
+pub mod external;
+
+//lazy reexports
+pub use types::Error;
+pub type ReqwestError=reqwest::Error;
+pub type CookieError=reqwest::header::InvalidHeaderValue;
--- a/validation/api/src/types.rs
+++ b/validation/api/src/types.rs
@@ -0,0 +1,222 @@
+#[derive(Debug)]
+pub enum Error{
+	Parse(url::ParseError),
+	Reqwest(reqwest::Error),
+	Response(ResponseError),
+	JSON(serde_json::Error),
+}
+impl std::fmt::Display for Error{
+	fn fmt(&self,f:&mut std::fmt::Formatter<'_>)->std::fmt::Result{
+		write!(f,"{self:?}")
+	}
+}
+impl std::error::Error for Error{}
+
+#[derive(Debug)]
+pub enum SingleItemError{
+	DuplicateItems,
+	Other(Error),
+}
+impl std::fmt::Display for SingleItemError{
+	fn fmt(&self,f:&mut std::fmt::Formatter<'_>)->std::fmt::Result{
+		write!(f,"{self:?}")
+	}
+}
+impl std::error::Error for SingleItemError{}
+
+#[allow(dead_code)]
+#[derive(Debug)]
+pub struct StatusCodeWithUrlAndBody{
+	pub status_code:reqwest::StatusCode,
+	pub url:url::Url,
+	pub body:String,
+}
+
+#[derive(Debug)]
+pub enum ResponseError{
+	Reqwest(reqwest::Error),
+	StatusCodeWithUrlAndBody(StatusCodeWithUrlAndBody),
+}
+impl std::fmt::Display for ResponseError{
+	fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+		write!(f,"{self:?}")
+	}
+}
+impl std::error::Error for ResponseError{}
+// lazy function to draw out meaningful info from http response on failure
+pub async fn response_ok(response:reqwest::Response)->Result<reqwest::Response,ResponseError>{
+	let status_code=response.status();
+	if status_code.is_success(){
+		Ok(response)
+	}else{
+		let url=response.url().to_owned();
+		let bytes=response.bytes().await.map_err(ResponseError::Reqwest)?;
+		let body=String::from_utf8_lossy(&bytes).to_string();
+		Err(ResponseError::StatusCodeWithUrlAndBody(StatusCodeWithUrlAndBody{
+			status_code,
+			url,
+			body,
+		}))
+	}
+}
+
+#[derive(Clone,Copy,Debug,PartialEq,Eq,serde::Serialize,serde::Deserialize)]
+pub struct ScriptID(pub(crate)i64);
+#[derive(Clone,Copy,Debug,serde::Serialize,serde::Deserialize)]
+pub struct ScriptPolicyID(pub(crate)i64);
+
+#[allow(nonstandard_style)]
+pub struct GetScriptRequest{
+	pub ScriptID:ScriptID,
+}
+#[allow(nonstandard_style)]
+#[derive(Clone,Debug,serde::Serialize)]
+pub struct GetScriptsRequest<'a>{
+	pub Page:u32,
+	pub Limit:u32,
+	#[serde(skip_serializing_if="Option::is_none")]
+	pub Name:Option<&'a str>,
+	#[serde(skip_serializing_if="Option::is_none")]
+	pub Hash:Option<&'a str>,
+	#[serde(skip_serializing_if="Option::is_none")]
+	pub Source:Option<&'a str>,
+	#[serde(skip_serializing_if="Option::is_none")]
+	pub SubmissionID:Option<i64>,
+}
+#[derive(Clone,Copy,Debug)]
+pub struct HashRequest<'a>{
+	pub hash:&'a str,
+}
+#[allow(nonstandard_style)]
+#[derive(Clone,Debug,serde::Deserialize)]
+pub struct ScriptResponse{
+	pub ID:ScriptID,
+	pub Name:String,
+	pub Hash:String,
+	pub Source:String,
+	pub SubmissionID:i64,
+}
+#[derive(Clone,Debug,serde::Serialize)]
+pub enum ResourceType{
+	Unknown=0,
+	Mapfix=1,
+	Submission=2,
+}
+#[allow(nonstandard_style)]
+#[derive(Clone,Debug,serde::Serialize)]
+pub struct CreateScriptRequest<'a>{
+	pub Name:&'a str,
+	pub Source:&'a str,
+	pub ResourceType:ResourceType,
+	#[serde(skip_serializing_if="Option::is_none")]
+	pub ResourceID:Option<i64>,
+}
+#[allow(nonstandard_style)]
+#[derive(Clone,Debug,serde::Deserialize)]
+pub struct ScriptIDResponse{
+	pub ID:ScriptID,
+}
+
+#[derive(Clone,Copy,Debug,PartialEq,Eq,serde_repr::Serialize_repr,serde_repr::Deserialize_repr)]
+#[repr(i32)]
+pub enum Policy{
+	None=0, // not yet reviewed
+	Allowed=1,
+	Blocked=2,
+	Delete=3,
+	Replace=4,
+}
+
+#[allow(nonstandard_style)]
+#[derive(Clone,Debug,serde::Serialize)]
+pub struct GetScriptPoliciesRequest<'a>{
+	pub Page:u32,
+	pub Limit:u32,
+	#[serde(skip_serializing_if="Option::is_none")]
+	pub FromScriptHash:Option<&'a str>,
+	#[serde(skip_serializing_if="Option::is_none")]
+	pub ToScriptID:Option<ScriptID>,
+	#[serde(skip_serializing_if="Option::is_none")]
+	pub Policy:Option<Policy>,
+}
+#[allow(nonstandard_style)]
+#[derive(Clone,Debug,serde::Deserialize)]
+pub struct ScriptPolicyResponse{
+	pub ID:ScriptPolicyID,
+	pub FromScriptHash:String,
+	pub ToScriptID:ScriptID,
+	pub Policy:Policy
+}
+#[allow(nonstandard_style)]
+#[derive(Clone,Debug,serde::Serialize)]
+pub struct CreateScriptPolicyRequest{
+	pub FromScriptID:ScriptID,
+	pub ToScriptID:ScriptID,
+	pub Policy:Policy,
+}
+#[allow(nonstandard_style)]
+#[derive(Clone,Debug,serde::Deserialize)]
+pub struct ScriptPolicyIDResponse{
+	pub ID:ScriptPolicyID,
+}
+
+#[allow(nonstandard_style)]
+#[derive(Clone,Debug,serde::Serialize)]
+pub struct UpdateScriptPolicyRequest{
+	pub ID:ScriptPolicyID,
+	#[serde(skip_serializing_if="Option::is_none")]
+	pub FromScriptID:Option<ScriptID>,
+	#[serde(skip_serializing_if="Option::is_none")]
+	pub ToScriptID:Option<ScriptID>,
+	#[serde(skip_serializing_if="Option::is_none")]
+	pub Policy:Option<Policy>,
+}
+
+#[allow(nonstandard_style)]
+#[derive(Clone,Debug)]
+pub struct UpdateSubmissionModelRequest{
+	pub SubmissionID:i64,
+	pub ModelID:u64,
+	pub ModelVersion:u64,
+}
+
+#[allow(nonstandard_style)]
+#[derive(Clone,Debug)]
+pub struct ActionSubmissionUploadedRequest{
+	pub SubmissionID:i64,
+	pub UploadedAssetID:u64,
+}
+
+#[allow(nonstandard_style)]
+#[derive(Clone,Debug)]
+pub struct ActionSubmissionAcceptedRequest{
+	pub SubmissionID:i64,
+	pub StatusMessage:String,
+}
+
+#[derive(Clone,Copy,Debug)]
+pub struct SubmissionID(pub i64);
+
+#[allow(nonstandard_style)]
+#[derive(Clone,Debug)]
+pub struct UpdateMapfixModelRequest{
+	pub MapfixID:i64,
+	pub ModelID:u64,
+	pub ModelVersion:u64,
+}
+
+#[allow(nonstandard_style)]
+#[derive(Clone,Debug)]
+pub struct ActionMapfixUploadedRequest{
+	pub MapfixID:i64,
+}
+
+#[allow(nonstandard_style)]
+#[derive(Clone,Debug)]
+pub struct ActionMapfixAcceptedRequest{
+	pub MapfixID:i64,
+	pub StatusMessage:String,
+}
+
+#[derive(Clone,Copy,Debug)]
+pub struct MapfixID(pub i64);
--- a/validation/src/main.rs
+++ b/validation/src/main.rs
@@ -1,10 +1,14 @@
 use futures::StreamExt;

-mod nats_types;
-mod validator;
-mod publish_new;
-mod publish_fix;
 mod message_handler;
+mod nats_types;
+mod types;
+mod uploader;
+mod upload_mapfix;
+mod upload_submission;
+mod validator;
+mod validate_mapfix;
+mod validate_submission;

 #[allow(dead_code)]
 #[derive(Debug)]
@@ -22,19 +26,25 @@ impl std::fmt::Display for StartupError{
 }
 impl std::error::Error for StartupError{}

-pub const GROUP_STRAFESNET:u64=6980477;
-
 pub const PARALLEL_REQUESTS:usize=16;

 #[tokio::main]
 async fn main()->Result<(),StartupError>{
+	let group_id:Option<u64>=match std::env::var("ROBLOX_GROUP_ID"){
+		Ok(s)=>match s.as_str(){
+			"None"=>None,
+			_=>Some(s.parse().expect("ROBLOX_GROUP_ID int parse")),
+		},
+		Err(e)=>Err(e).expect("ROBLOX_GROUP_ID env required"),
+	};
+
 	// talk to roblox through STRAFESNET_CI2 account
 	let cookie=std::env::var("RBXCOOKIE").expect("RBXCOOKIE env required");
 	let cookie_context=rbx_asset::cookie::CookieContext::new(rbx_asset::cookie::Cookie::new(cookie));

 	// maps-service api
-	let api_host=std::env::var("API_HOST").expect("API_HOST env required");
-	let api=submissions_api::Context::new(api_host).map_err(StartupError::API)?;
+	let api_host_internal=std::env::var("API_HOST_INTERNAL").expect("API_HOST_INTERNAL env required");
+	let api=submissions_api::internal::Context::new(api_host_internal).map_err(StartupError::API)?;

 	// nats
 	let nats_host=std::env::var("NATS_HOST").expect("NATS_HOST env required");
@@ -46,13 +56,13 @@ async fn main()->Result<(),StartupError>{
 			.get_or_create_consumer("validation",async_nats::jetstream::consumer::pull::Config{
 				name:Some("validation".to_owned()),
 				durable_name:Some("validation".to_owned()),
-				filter_subject:"maptest.submissions.>".to_owned(),
+				filter_subject:"maptest.>".to_owned(),
 				..Default::default()
 			}).await.map_err(StartupError::NatsConsumer)?
 			.messages().await.map_err(StartupError::NatsStream)
 	};

-	let message_handler=message_handler::MessageHandler::new(cookie_context,api);
+	let message_handler=message_handler::MessageHandler::new(cookie_context,group_id,api);

 	// Create a signal listener for SIGTERM
 	let mut sig_term=tokio::signal::unix::signal(tokio::signal::unix::SignalKind::terminate()).expect("Failed to create SIGTERM signal listener");
--- a/validation/src/message_handler.rs
+++ b/validation/src/message_handler.rs
@@ -3,10 +3,12 @@
 pub enum HandleMessageError{
 	Messages(async_nats::jetstream::consumer::pull::MessagesError),
 	DoubleAck(async_nats::Error),
+	Json(serde_json::Error),
 	UnknownSubject(String),
-	PublishNew(crate::publish_new::PublishError),
-	PublishFix(crate::publish_fix::PublishError),
-	Validation(crate::validator::ValidateError),
+	UploadMapfix(crate::upload_mapfix::UploadError),
+	UploadSubmission(crate::upload_submission::UploadError),
+	ValidateMapfix(crate::validate_mapfix::ValidateMapfixError),
+	ValidateSubmission(crate::validate_submission::ValidateSubmissionError),
 }
 impl std::fmt::Display for HandleMessageError{
 	fn fmt(&self,f:&mut std::fmt::Formatter<'_>)->std::fmt::Result{
@@ -17,30 +19,38 @@ impl std::error::Error for HandleMessageError{}

 pub type MessageResult=Result<async_nats::jetstream::Message,async_nats::jetstream::consumer::pull::MessagesError>;

+fn from_slice<'a,T:serde::de::Deserialize<'a>>(slice:&'a [u8])->Result<T,HandleMessageError>{
+	serde_json::from_slice(slice).map_err(HandleMessageError::Json)
+}
+
 pub struct MessageHandler{
-	publish_new:crate::publish_new::Publisher,
-	publish_fix:crate::publish_fix::Publisher,
-	validator:crate::validator::Validator,
+	upload_mapfix:crate::upload_mapfix::Uploader,
+	upload_submission:crate::upload_submission::Uploader,
+	validate_mapfix:crate::validate_mapfix::Validator,
+	validate_submission:crate::validate_submission::Validator,
 }

 impl MessageHandler{
 	pub fn new(
 		cookie_context:rbx_asset::cookie::CookieContext,
-		api:submissions_api::Context,
+		group_id:Option<u64>,
+		api:submissions_api::internal::Context,
 	)->Self{
 		Self{
-			publish_new:crate::publish_new::Publisher::new(cookie_context.clone(),api.clone()),
-			publish_fix:crate::publish_fix::Publisher::new(cookie_context.clone(),api.clone()),
-			validator:crate::validator::Validator::new(cookie_context,api),
+			upload_mapfix:crate::upload_mapfix::Uploader::new(crate::uploader::Uploader::new(cookie_context.clone(),group_id,api.clone())),
+			upload_submission:crate::upload_submission::Uploader::new(crate::uploader::Uploader::new(cookie_context.clone(),group_id,api.clone())),
+			validate_mapfix:crate::validate_mapfix::Validator::new(crate::validator::Validator::new(cookie_context.clone(),api.clone())),
+			validate_submission:crate::validate_submission::Validator::new(crate::validator::Validator::new(cookie_context,api)),
 		}
 	}
 	pub async fn handle_message_result(&self,message_result:MessageResult)->Result<(),HandleMessageError>{
 		let message=message_result.map_err(HandleMessageError::Messages)?;
 		message.double_ack().await.map_err(HandleMessageError::DoubleAck)?;
 		match message.subject.as_str(){
-			"maptest.submissions.publishnew"=>self.publish_new.publish(message).await.map_err(HandleMessageError::PublishNew),
-			"maptest.submissions.publishfix"=>self.publish_fix.publish(message).await.map_err(HandleMessageError::PublishFix),
-			"maptest.submissions.validate"=>self.validator.validate(message).await.map_err(HandleMessageError::Validation),
+			"maptest.mapfixes.upload"=>self.upload_mapfix.upload(from_slice(&message.payload)?).await.map_err(HandleMessageError::UploadMapfix),
+			"maptest.submissions.upload"=>self.upload_submission.upload(from_slice(&message.payload)?).await.map_err(HandleMessageError::UploadSubmission),
+			"maptest.mapfixes.validate"=>self.validate_mapfix.validate(from_slice(&message.payload)?).await.map_err(HandleMessageError::ValidateMapfix),
+			"maptest.submissions.validate"=>self.validate_submission.validate(from_slice(&message.payload)?).await.map_err(HandleMessageError::ValidateSubmission),
 			other=>Err(HandleMessageError::UnknownSubject(other.to_owned()))
 		}
 	}
--- a/validation/src/nats_types.rs
+++ b/validation/src/nats_types.rs
@@ -6,7 +6,7 @@

 #[allow(nonstandard_style)]
 #[derive(serde::Deserialize)]
-pub struct ValidateRequest{
+pub struct ValidateSubmissionRequest{
 	// submission_id is passed back in the response message
 	pub SubmissionID:i64,
 	pub ModelID:u64,
@@ -14,23 +14,30 @@ pub struct ValidateRequest{
 	pub ValidatedModelID:Option<u64>,
 }

+#[allow(nonstandard_style)]
+#[derive(serde::Deserialize)]
+pub struct ValidateMapfixRequest{
+	// submission_id is passed back in the response message
+	pub MapfixID:i64,
+	pub ModelID:u64,
+	pub ModelVersion:u64,
+	pub ValidatedModelID:Option<u64>,
+}
+
 // Create a new map
 #[allow(nonstandard_style)]
 #[derive(serde::Deserialize)]
-pub struct PublishNewRequest{
+pub struct UploadSubmissionRequest{
 	pub SubmissionID:i64,
 	pub ModelID:u64,
 	pub ModelVersion:u64,
-	pub Creator:String,
-	pub DisplayName:String,
-	pub GameID:u32,
-	//games:HashSet<GameID>,
+	pub ModelName:String,
 }

 #[allow(nonstandard_style)]
 #[derive(serde::Deserialize)]
-pub struct PublishFixRequest{
-	pub SubmissionID:i64,
+pub struct UploadMapfixRequest{
+	pub MapfixID:i64,
 	pub ModelID:u64,
 	pub ModelVersion:u64,
 	pub TargetAssetID:u64,
--- a/validation/src/publish_fix.rs
+++ b/validation/src/publish_fix.rs
@@ -1,62 +0,0 @@
-use crate::nats_types::PublishFixRequest;
-
-#[allow(dead_code)]
-#[derive(Debug)]
-pub enum PublishError{
-	Get(rbx_asset::cookie::GetError),
-	Json(serde_json::Error),
-	Upload(rbx_asset::cookie::UploadError),
-	ApiActionSubmissionPublish(submissions_api::Error),
-}
-impl std::fmt::Display for PublishError{
-	fn fmt(&self,f:&mut std::fmt::Formatter<'_>)->std::fmt::Result{
-		write!(f,"{self:?}")
-	}
-}
-impl std::error::Error for PublishError{}
-
-pub struct Publisher{
-	roblox_cookie:rbx_asset::cookie::CookieContext,
-	api:submissions_api::Context,
-}
-impl Publisher{
-	pub const fn new(
-		roblox_cookie:rbx_asset::cookie::CookieContext,
-		api:submissions_api::Context,
-	)->Self{
-		Self{
-			roblox_cookie,
-			api,
-		}
-	}
-	pub async fn publish(&self,message:async_nats::jetstream::Message)->Result<(),PublishError>{
-		println!("publish_fix {:?}",message.message.payload);
-		// decode json
-		let publish_info:PublishFixRequest=serde_json::from_slice(&message.payload).map_err(PublishError::Json)?;
-
-		// download the map model version
-		let model_data=self.roblox_cookie.get_asset(rbx_asset::cookie::GetAssetRequest{
-			asset_id:publish_info.ModelID,
-			version:Some(publish_info.ModelVersion),
-		}).await.map_err(PublishError::Get)?;
-
-		// upload the map to the strafesnet group
-		let _upload_response=self.roblox_cookie.upload(rbx_asset::cookie::UploadRequest{
-			assetid:publish_info.TargetAssetID,
-			groupId:Some(crate::GROUP_STRAFESNET),
-			name:None,
-			description:None,
-			ispublic:None,
-			allowComments:None,
-		},model_data).await.map_err(PublishError::Upload)?;
-
-		// that's it, the database entry does not need to be changed.
-
-		// mark submission as published
-		self.api.action_submission_publish(
-			submissions_api::SubmissionID(publish_info.SubmissionID)
-		).await.map_err(PublishError::ApiActionSubmissionPublish)?;
-
-		Ok(())
-	}
-}
--- a/validation/src/publish_new.rs
+++ b/validation/src/publish_new.rs
@@ -1,60 +0,0 @@
-use crate::nats_types::PublishNewRequest;
-
-#[allow(dead_code)]
-#[derive(Debug)]
-pub enum PublishError{
-	Get(rbx_asset::cookie::GetError),
-	Json(serde_json::Error),
-	Create(rbx_asset::cookie::CreateError),
-	SystemTime(std::time::SystemTimeError),
-	ApiActionSubmissionPublish(submissions_api::Error),
-}
-impl std::fmt::Display for PublishError{
-	fn fmt(&self,f:&mut std::fmt::Formatter<'_>)->std::fmt::Result{
-		write!(f,"{self:?}")
-	}
-}
-impl std::error::Error for PublishError{}
-
-pub struct Publisher{
-	roblox_cookie:rbx_asset::cookie::CookieContext,
-	api:submissions_api::Context,
-}
-impl Publisher{
-	pub const fn new(
-		roblox_cookie:rbx_asset::cookie::CookieContext,
-		api:submissions_api::Context,
-	)->Self{
-		Self{
-			roblox_cookie,
-			api,
-		}
-	}
-	pub async fn publish(&self,message:async_nats::jetstream::Message)->Result<(),PublishError>{
-		println!("publish_new {:?}",message.message.payload);
-		// decode json
-		let publish_info:PublishNewRequest=serde_json::from_slice(&message.payload).map_err(PublishError::Json)?;
-
-		// download the map model version
-		let model_data=self.roblox_cookie.get_asset(rbx_asset::cookie::GetAssetRequest{
-			asset_id:publish_info.ModelID,
-			version:Some(publish_info.ModelVersion),
-		}).await.map_err(PublishError::Get)?;
-
-		// upload the map to the strafesnet group
-		let upload_response=self.roblox_cookie.create(rbx_asset::cookie::CreateRequest{
-			name:publish_info.DisplayName.clone(),
-			description:"".to_owned(),
-			ispublic:false,
-			allowComments:false,
-			groupId:Some(crate::GROUP_STRAFESNET),
-		},model_data).await.map_err(PublishError::Create)?;
-
-		// mark submission as published
-		self.api.action_submission_publish(
-			submissions_api::SubmissionID(publish_info.SubmissionID)
-		).await.map_err(PublishError::ApiActionSubmissionPublish)?;
-
-		Ok(())
-	}
-}
--- a/validation/src/types.rs
+++ b/validation/src/types.rs
@@ -0,0 +1,4 @@
+pub enum ResourceID{
+	Mapfix(i64),
+	Submission(i64),
+}
--- a/validation/src/upload_mapfix.rs
+++ b/validation/src/upload_mapfix.rs
@@ -0,0 +1,50 @@
+use crate::nats_types::UploadMapfixRequest;
+
+#[allow(dead_code)]
+#[derive(Debug)]
+pub enum UploadError{
+	Get(rbx_asset::cookie::GetError),
+	Json(serde_json::Error),
+	Upload(rbx_asset::cookie::UploadError),
+	ApiActionMapfixUploaded(submissions_api::Error),
+}
+impl std::fmt::Display for UploadError{
+	fn fmt(&self,f:&mut std::fmt::Formatter<'_>)->std::fmt::Result{
+		write!(f,"{self:?}")
+	}
+}
+impl std::error::Error for UploadError{}
+
+pub struct Uploader(crate::uploader::Uploader);
+impl Uploader{
+	pub const fn new(inner:crate::uploader::Uploader)->Self{
+		Self(inner)
+	}
+	pub async fn upload(&self,upload_info:UploadMapfixRequest)->Result<(),UploadError>{
+		let Self(uploader)=self;
+		// download the map model version
+		let model_data=uploader.roblox_cookie.get_asset(rbx_asset::cookie::GetAssetRequest{
+			asset_id:upload_info.ModelID,
+			version:Some(upload_info.ModelVersion),
+		}).await.map_err(UploadError::Get)?;
+
+		// upload the map to the strafesnet group
+		let _upload_response=uploader.roblox_cookie.upload(rbx_asset::cookie::UploadRequest{
+			assetid:upload_info.TargetAssetID,
+			groupId:uploader.group_id,
+			name:None,
+			description:None,
+			ispublic:None,
+			allowComments:None,
+		},model_data).await.map_err(UploadError::Upload)?;
+
+		// that's it, the database entry does not need to be changed.
+
+		// mark mapfix as uploaded, TargetAssetID is unchanged
+		uploader.api.action_mapfix_uploaded(submissions_api::types::ActionMapfixUploadedRequest{
+			MapfixID:upload_info.MapfixID,
+		}).await.map_err(UploadError::ApiActionMapfixUploaded)?;
+
+		Ok(())
+	}
+}
--- a/validation/src/upload_submission.rs
+++ b/validation/src/upload_submission.rs
@@ -0,0 +1,49 @@
+use crate::nats_types::UploadSubmissionRequest;
+
+#[allow(dead_code)]
+#[derive(Debug)]
+pub enum UploadError{
+	Get(rbx_asset::cookie::GetError),
+	Json(serde_json::Error),
+	Create(rbx_asset::cookie::CreateError),
+	SystemTime(std::time::SystemTimeError),
+	ApiActionSubmissionUploaded(submissions_api::Error),
+}
+impl std::fmt::Display for UploadError{
+	fn fmt(&self,f:&mut std::fmt::Formatter<'_>)->std::fmt::Result{
+		write!(f,"{self:?}")
+	}
+}
+impl std::error::Error for UploadError{}
+
+pub struct Uploader(crate::uploader::Uploader);
+impl Uploader{
+	pub const fn new(inner:crate::uploader::Uploader)->Self{
+		Self(inner)
+	}
+	pub async fn upload(&self,upload_info:UploadSubmissionRequest)->Result<(),UploadError>{
+		let Self(uploader)=self;
+		// download the map model version
+		let model_data=uploader.roblox_cookie.get_asset(rbx_asset::cookie::GetAssetRequest{
+			asset_id:upload_info.ModelID,
+			version:Some(upload_info.ModelVersion),
+		}).await.map_err(UploadError::Get)?;
+
+		// upload the map to the strafesnet group
+		let upload_response=uploader.roblox_cookie.create(rbx_asset::cookie::CreateRequest{
+			name:upload_info.ModelName.clone(),
+			description:"".to_owned(),
+			ispublic:false,
+			allowComments:false,
+			groupId:uploader.group_id,
+		},model_data).await.map_err(UploadError::Create)?;
+
+		// note the asset id of the created model for later release, and mark the submission as uploaded
+		uploader.api.action_submission_uploaded(submissions_api::types::ActionSubmissionUploadedRequest{
+			SubmissionID:upload_info.SubmissionID,
+			UploadedAssetID:upload_response.AssetId,
+		}).await.map_err(UploadError::ApiActionSubmissionUploaded)?;
+
+		Ok(())
+	}
+}
--- a/validation/src/uploader.rs
+++ b/validation/src/uploader.rs
@@ -0,0 +1,18 @@
+pub struct Uploader{
+	pub(crate) roblox_cookie:rbx_asset::cookie::CookieContext,
+	pub(crate) group_id:Option<u64>,
+	pub(crate) api:submissions_api::internal::Context,
+}
+impl Uploader{
+	pub const fn new(
+		roblox_cookie:rbx_asset::cookie::CookieContext,
+		group_id:Option<u64>,
+		api:submissions_api::internal::Context,
+	)->Self{
+		Self{
+			roblox_cookie,
+			group_id,
+			api,
+		}
+	}
+}
--- a/validation/src/validate_mapfix.rs
+++ b/validation/src/validate_mapfix.rs
@@ -0,0 +1,45 @@
+use crate::nats_types::ValidateMapfixRequest;
+
+#[allow(dead_code)]
+#[derive(Debug)]
+pub enum ValidateMapfixError{
+	ApiActionMapfixValidate(submissions_api::Error),
+}
+impl std::fmt::Display for ValidateMapfixError{
+	fn fmt(&self,f:&mut std::fmt::Formatter<'_>)->std::fmt::Result{
+		write!(f,"{self:?}")
+	}
+}
+impl std::error::Error for ValidateMapfixError{}
+
+pub struct Validator(crate::validator::Validator);
+impl Validator{
+	pub const fn new(inner:crate::validator::Validator)->Self{
+		Self(inner)
+	}
+	pub async fn validate(&self,validate_info:ValidateMapfixRequest)->Result<(),ValidateMapfixError>{
+		let Self(validator)=self;
+
+		let mapfix_id=validate_info.MapfixID;
+		let validate_result=validator.validate(validate_info.into()).await;
+
+		// update the mapfix depending on the result
+		match &validate_result{
+			Ok(())=>{
+				// update the mapfix model status to validated
+				validator.api.action_mapfix_validated(
+					submissions_api::types::MapfixID(mapfix_id)
+				).await.map_err(ValidateMapfixError::ApiActionMapfixValidate)?;
+			},
+			Err(e)=>{
+				// update the mapfix model status to accepted
+				validator.api.action_mapfix_accepted(submissions_api::types::ActionMapfixAcceptedRequest{
+					MapfixID:mapfix_id,
+					StatusMessage:format!("{e}"),
+				}).await.map_err(ValidateMapfixError::ApiActionMapfixValidate)?;
+			},
+		}
+
+		Ok(())
+	}
+}
--- a/validation/src/validate_submission.rs
+++ b/validation/src/validate_submission.rs
@@ -0,0 +1,45 @@
+use crate::nats_types::ValidateSubmissionRequest;
+
+#[allow(dead_code)]
+#[derive(Debug)]
+pub enum ValidateSubmissionError{
+	ApiActionSubmissionValidate(submissions_api::Error),
+}
+impl std::fmt::Display for ValidateSubmissionError{
+	fn fmt(&self,f:&mut std::fmt::Formatter<'_>)->std::fmt::Result{
+		write!(f,"{self:?}")
+	}
+}
+impl std::error::Error for ValidateSubmissionError{}
+
+pub struct Validator(crate::validator::Validator);
+impl Validator{
+	pub const fn new(inner:crate::validator::Validator)->Self{
+		Self(inner)
+	}
+	pub async fn validate(&self,validate_info:ValidateSubmissionRequest)->Result<(),ValidateSubmissionError>{
+		let Self(validator)=self;
+
+		let submission_id=validate_info.SubmissionID;
+		let validate_result=validator.validate(validate_info.into()).await;
+
+		// update the submission depending on the result
+		match &validate_result{
+			Ok(())=>{
+				// update the submission model status to validated
+				validator.api.action_submission_validated(
+					submissions_api::types::SubmissionID(submission_id)
+				).await.map_err(ValidateSubmissionError::ApiActionSubmissionValidate)?;
+			},
+			Err(e)=>{
+				// update the submission model status to accepted
+				validator.api.action_submission_accepted(submissions_api::types::ActionSubmissionAcceptedRequest{
+					SubmissionID:submission_id,
+					StatusMessage:format!("{e}"),
+				}).await.map_err(ValidateSubmissionError::ApiActionSubmissionValidate)?;
+			},
+		}
+
+		Ok(())
+	}
+}
--- a/validation/src/validator.rs
+++ b/validation/src/validator.rs
@@ -1,6 +1,7 @@
 use futures::TryStreamExt;
+use submissions_api::types::ResourceType;

-use crate::nats_types::ValidateRequest;
+use crate::types::ResourceID;

 const SCRIPT_CONCURRENCY:usize=16;

@@ -12,21 +13,42 @@ enum Policy{
 	Replace(String),
 }

-#[allow(dead_code)]
+struct NamePolicy{
+	name:String,
+	policy:Policy,
+}
+
+fn source_has_illegal_keywords(source:&str)->bool{
+	source.find("getfenv").is_some()||source.find("require").is_some()
+}
+
+fn hash_source(source:&str)->String{
+	let mut hasher=siphasher::sip::SipHasher::new();
+	std::hash::Hasher::write(&mut hasher,source.as_bytes());
+	let hash=std::hash::Hasher::finish(&hasher);
+	format!("{:016x}",hash)
+}
+
+// #[allow(dead_code)]
 #[derive(Debug)]
 pub enum ValidateError{
-	Blocked,
-	NotAllowed,
-	Get(rbx_asset::cookie::GetError),
-	Json(serde_json::Error),
-	ReadDom(ReadDomError),
-	ApiGetScriptPolicy(submissions_api::Error),
+	ScriptFlaggedIllegalKeyword(String),
+	ScriptBlocked(Option<submissions_api::types::ScriptID>),
+	ScriptNotYetReviewed(Option<submissions_api::types::ScriptID>),
+	ModelFileDownload(rbx_asset::cookie::GetError),
+	ModelFileDecode(ReadDomError),
+	ApiGetScriptPolicyFromHash(submissions_api::types::SingleItemError),
 	ApiGetScript(submissions_api::Error),
+	ApiCreateScript(submissions_api::Error),
+	ApiCreateScriptPolicy(submissions_api::Error),
+	ApiGetScriptFromHash(submissions_api::types::SingleItemError),
+	ApiUpdateMapfixModel(submissions_api::Error),
 	ApiUpdateSubmissionModel(submissions_api::Error),
-	ApiActionSubmissionValidate(submissions_api::Error),
-	WriteDom(rbx_binary::EncodeError),
-	Upload(rbx_asset::cookie::UploadError),
-	Create(rbx_asset::cookie::CreateError),
+	ModelFileRootMustHaveOneChild,
+	ModelFileChildRefIsNil,
+	ModelFileEncode(rbx_binary::EncodeError),
+	AssetUpload(rbx_asset::cookie::UploadError),
+	AssetCreate(rbx_asset::cookie::CreateError),
 }
 impl std::fmt::Display for ValidateError{
 	fn fmt(&self,f:&mut std::fmt::Formatter<'_>)->std::fmt::Result{
@@ -35,89 +57,158 @@ impl std::fmt::Display for ValidateError{
 }
 impl std::error::Error for ValidateError{}

+#[allow(nonstandard_style)]
+pub struct ValidateRequest{
+	pub ModelID:u64,
+	pub ModelVersion:u64,
+	pub ValidatedModelID:Option<u64>,
+	pub ResourceID:ResourceID,
+}
+
+impl From<crate::nats_types::ValidateMapfixRequest> for ValidateRequest{
+	fn from(value:crate::nats_types::ValidateMapfixRequest)->Self{
+		Self{
+			ModelID:value.ModelID,
+			ModelVersion:value.ModelVersion,
+			ValidatedModelID:value.ValidatedModelID,
+			ResourceID:ResourceID::Mapfix(value.MapfixID),
+		}
+	}
+}
+impl From<crate::nats_types::ValidateSubmissionRequest> for ValidateRequest{
+	fn from(value:crate::nats_types::ValidateSubmissionRequest)->Self{
+		Self{
+			ModelID:value.ModelID,
+			ModelVersion:value.ModelVersion,
+			ValidatedModelID:value.ValidatedModelID,
+			ResourceID:ResourceID::Submission(value.SubmissionID),
+		}
+	}
+}
+
 pub struct Validator{
-	roblox_cookie:rbx_asset::cookie::CookieContext,
-	api:submissions_api::Context,
+	pub(crate) roblox_cookie:rbx_asset::cookie::CookieContext,
+	pub(crate) api:submissions_api::internal::Context,
 }

 impl Validator{
 	pub const fn new(
 		roblox_cookie:rbx_asset::cookie::CookieContext,
-		api:submissions_api::Context,
+		api:submissions_api::internal::Context,
 	)->Self{
 		Self{
 			roblox_cookie,
 			api,
 		}
 	}
-	pub async fn validate(&self,message:async_nats::jetstream::Message)->Result<(),ValidateError>{
-		println!("validate {:?}",message.message.payload);
-		// decode json
-		let validate_info:ValidateRequest=serde_json::from_slice(&message.payload).map_err(ValidateError::Json)?;
-
+	pub async fn validate(&self,validate_info:ValidateRequest)->Result<(),ValidateError>{
 		// download map
 		let data=self.roblox_cookie.get_asset(rbx_asset::cookie::GetAssetRequest{
 			asset_id:validate_info.ModelID,
 			version:Some(validate_info.ModelVersion),
-		}).await.map_err(ValidateError::Get)?;
+		}).await.map_err(ValidateError::ModelFileDownload)?;

 		// decode dom (slow!)
-		let mut dom=read_dom(&mut std::io::Cursor::new(data)).map_err(ValidateError::ReadDom)?;
+		let mut dom=read_dom(&mut std::io::Cursor::new(data)).map_err(ValidateError::ModelFileDecode)?;

 		/* VALIDATE MAP */

 		// collect unique scripts
 		let script_refs=get_script_refs(&dom);
-		let mut script_map=std::collections::HashMap::<String,Policy>::new();
+		let mut script_map=std::collections::HashMap::<String,NamePolicy>::new();
 		for &script_ref in &script_refs{
 			if let Some(script)=dom.get_by_ref(script_ref){
 				if let Some(rbx_dom_weak::types::Variant::String(source))=script.properties.get("Source"){
-					script_map.insert(source.clone(),Policy::None);
+					// check the source for illegal keywords
+					if source_has_illegal_keywords(source){
+						// immediately abort
+						// grab path to offending script
+						let path=get_partial_path(&dom,script);
+						return Err(ValidateError::ScriptFlaggedIllegalKeyword(path));
+					}
+					// associate a name and policy with the source code
+					// policy will be fetched from the database to replace the default policy
+					script_map.insert(source.clone(),NamePolicy{
+						name:get_partial_path(&dom,script),
+						policy:Policy::None,
+					});
 				}
 			}
 		}

 		// send all script hashes to REST endpoint and retrieve the replacements
 		futures::stream::iter(script_map.iter_mut().map(Ok))
-		.try_for_each_concurrent(Some(SCRIPT_CONCURRENCY),|(source,replacement)|async{
+		.try_for_each_concurrent(Some(SCRIPT_CONCURRENCY),|(source,NamePolicy{policy,name})|async{
 			// get the hash
-			let mut hasher=siphasher::sip::SipHasher::new();
-			std::hash::Hasher::write(&mut hasher,source.as_bytes());
-			let hash=std::hash::Hasher::finish(&hasher);
+			let hash=hash_source(source.as_str());

 			// fetch the script policy
-			let script_policy=self.api.get_script_policy_from_hash(submissions_api::ScriptPolicyHashRequest{
-				hash:format!("{:x}",hash),
-			}).await.map_err(ValidateError::ApiGetScriptPolicy)?;
+			let script_policy=self.api.get_script_policy_from_hash(submissions_api::types::HashRequest{
+				hash:hash.as_str(),
+			}).await.map_err(ValidateError::ApiGetScriptPolicyFromHash)?;

 			// write the policy to the script_map, fetching the replacement code if necessary
-			*replacement=match script_policy.Policy{
-				submissions_api::Policy::None=>Policy::None,
-				submissions_api::Policy::Allowed=>Policy::Allowed,
-				submissions_api::Policy::Blocked=>Policy::Blocked,
-				submissions_api::Policy::Delete=>Policy::Delete,
-				submissions_api::Policy::Replace=>{
-					let script=self.api.get_script(submissions_api::GetScriptRequest{
-						ScriptID:script_policy.ToScriptID,
-					}).await.map_err(ValidateError::ApiGetScript)?;
-					Policy::Replace(script.Source)
-				},
-			};
+			if let Some(script_policy)=script_policy{
+				*policy=match script_policy.Policy{
+					submissions_api::types::Policy::None=>Policy::None,
+					submissions_api::types::Policy::Allowed=>Policy::Allowed,
+					submissions_api::types::Policy::Blocked=>Policy::Blocked,
+					submissions_api::types::Policy::Delete=>Policy::Delete,
+					submissions_api::types::Policy::Replace=>{
+						let script=self.api.get_script(submissions_api::types::GetScriptRequest{
+							ScriptID:script_policy.ToScriptID,
+						}).await.map_err(ValidateError::ApiGetScript)?;
+						Policy::Replace(script.Source)
+					},
+				};
+			}else{
+				let (resource_type,resource_id)=match validate_info.ResourceID{
+					ResourceID::Mapfix(mapfix_id)=>(ResourceType::Mapfix,mapfix_id),
+					ResourceID::Submission(submission_id)=>(ResourceType::Submission,submission_id),
+				};
+
+				// upload the script
+				let script=self.api.create_script(submissions_api::types::CreateScriptRequest{
+					Name:name.as_str(),
+					Source:source.as_str(),
+					ResourceType:resource_type,
+					ResourceID:Some(resource_id),
+				}).await.map_err(ValidateError::ApiCreateScript)?;
+
+				// create a None policy (pending review by yours truly)
+				self.api.create_script_policy(submissions_api::types::CreateScriptPolicyRequest{
+					ToScriptID:script.ID,
+					FromScriptID:script.ID,
+					Policy:submissions_api::types::Policy::None,
+				}).await.map_err(ValidateError::ApiCreateScriptPolicy)?;
+			}

 			Ok(())
 		})
 		.await?;

 		// make the replacements
-		let mut modified=false;
+		let mut modified=true;
 		for &script_ref in &script_refs{
 			if let Some(script)=dom.get_by_ref_mut(script_ref){
 				if let Some(rbx_dom_weak::types::Variant::String(source))=script.properties.get_mut("Source"){
-					match script_map.get(source.as_str()){
-						Some(Policy::Blocked)=>return Err(ValidateError::Blocked),
+					match script_map.get(source.as_str()).map(|p|&p.policy){
+						Some(Policy::Blocked)=>{
+							let hash=hash_source(source.as_str());
+							let script=self.api.get_script_from_hash(submissions_api::types::HashRequest{
+								hash:hash.as_str(),
+							}).await.map_err(ValidateError::ApiGetScriptFromHash)?;
+							return Err(ValidateError::ScriptBlocked(script.map(|s|s.ID)));
+						},
 						None
 						|Some(Policy::None)
-						=>return Err(ValidateError::NotAllowed),
+						=>{
+							let hash=hash_source(source.as_str());
+							let script=self.api.get_script_from_hash(submissions_api::types::HashRequest{
+								hash:hash.as_str(),
+							}).await.map_err(ValidateError::ApiGetScriptFromHash)?;
+							return Err(ValidateError::ScriptNotYetReviewed(script.map(|s|s.ID)));
+						},
 						Some(Policy::Allowed)=>(),
 						Some(Policy::Delete)=>{
 							modified=true;
@@ -133,11 +224,16 @@ impl Validator{
 			}
 		}

+		println!("[Validator] Forcing model upload! modified=true");
+
 		// if the model was validated, the submission must be changed to use the modified model
 		if modified{
 			// serialize model (slow!)
 			let mut data=Vec::new();
-			rbx_binary::to_writer(&mut data,&dom,dom.root().children()).map_err(ValidateError::WriteDom)?;
+			let &[map_ref]=dom.root().children()else{
+				return Err(ValidateError::ModelFileRootMustHaveOneChild);
+			};
+			rbx_binary::to_writer(&mut data,&dom,&[map_ref]).map_err(ValidateError::ModelFileEncode)?;

 			// upload a model lol
 			let model_id=if let Some(model_id)=validate_info.ValidatedModelID{
@@ -149,34 +245,45 @@ impl Validator{
 					ispublic:None,
 					allowComments:None,
 					groupId:None,
-				},data).await.map_err(ValidateError::Upload)?;
+				},data).await.map_err(ValidateError::AssetUpload)?;

 				response.AssetId
 			}else{
+				// grab the map instance from the map re
+				let Some(map_instance)=dom.get_by_ref(map_ref)else{
+					return Err(ValidateError::ModelFileChildRefIsNil);
+				};
 				// create new model
 				let response=self.roblox_cookie.create(rbx_asset::cookie::CreateRequest{
-					name:dom.root().name.clone(),
+					name:map_instance.name.clone(),
 					description:"".to_owned(),
 					ispublic:true,
 					allowComments:true,
 					groupId:None,
-				},data).await.map_err(ValidateError::Create)?;
+				},data).await.map_err(ValidateError::AssetCreate)?;

 				response.AssetId
 			};

-			// update the submission to use the validated model
-			self.api.update_submission_model(submissions_api::UpdateSubmissionModelRequest{
-				ID:validate_info.SubmissionID,
-				ModelID:model_id,
-				ModelVersion:1, //TODO
-			}).await.map_err(ValidateError::ApiUpdateSubmissionModel)?;
-		};
-
-		// update the submission model status to validated
-		self.api.action_submission_validate(
-			submissions_api::SubmissionID(validate_info.SubmissionID)
-		).await.map_err(ValidateError::ApiActionSubmissionValidate)?;
+			match validate_info.ResourceID{
+				ResourceID::Mapfix(mapfix_id)=>{
+					// update the mapfix to use the validated model
+					self.api.update_mapfix_validated_model(submissions_api::types::UpdateMapfixModelRequest{
+						MapfixID:mapfix_id,
+						ModelID:model_id,
+						ModelVersion:1, //TODO
+					}).await.map_err(ValidateError::ApiUpdateMapfixModel)?;
+				},
+				ResourceID::Submission(submission_id)=>{
+					// update the submission to use the validated model
+					self.api.update_submission_validated_model(submissions_api::types::UpdateSubmissionModelRequest{
+						SubmissionID:submission_id,
+						ModelID:model_id,
+						ModelVersion:1, //TODO
+					}).await.map_err(ValidateError::ApiUpdateSubmissionModel)?;
+				},
+			}
+		}

 		Ok(())
 	}
@@ -238,6 +345,19 @@ fn recursive_collect_superclass(objects:&mut std::vec::Vec<rbx_dom_weak::types::
 	}
 }

+fn get_partial_path(dom:&rbx_dom_weak::WeakDom,instance:&rbx_dom_weak::Instance)->String{
+	let mut names:Vec<_>=core::iter::successors(
+		Some(instance),
+		|i|dom.get_by_ref(i.parent())
+	).map(
+		|i|i.name.as_str()
+	).collect();
+	// discard the name of the root object
+	names.pop();
+	names.reverse();
+	names.join(".")
+}
+
 fn get_script_refs(dom:&rbx_dom_weak::WeakDom)->Vec<rbx_dom_weak::types::Ref>{
 	let mut scripts=std::vec::Vec::new();
 	recursive_collect_superclass(&mut scripts,dom,dom.root(),"LuaSourceContainer");
--- a/web/next.config.ts
+++ b/web/next.config.ts
@@ -3,14 +3,17 @@ import type { NextConfig } from "next";
 const nextConfig: NextConfig = {
    distDir: "build",
    output: "standalone",
-    rewrites: async () => {
-    	return [
-     		{
-       			source: "/v1/submissions/:submissionid/status/:statustype",
-          		destination: "http://mapsservice:8082/v1/submissions/:submissionid/status/:statustype"
-       		}
-     	]
-    }
+    images: {
+		remotePatterns: [
+			{
+				protocol: 'https',
+				hostname: 'api.ic3.space',
+				pathname: '/strafe/map-images/**',
+				port: '',
+				search: '',
+			},
+		],
+	},
 };

 export default nextConfig;
--- a/web/package.json
+++ b/web/package.json
@@ -3,7 +3,7 @@
  "version": "0.1.0",
  "private": true,
  "scripts": {
-    "dev": "next dev -p 3000",
+    "dev": "next dev -p 3000 --turbopack",
    "build": "next build",
    "start": "next start -p 3000",
    "lint": "next lint"
--- a/web/src/app/_components/header.tsx
+++ b/web/src/app/_components/header.tsx
@@ -18,10 +18,10 @@ export default function Header() {
 	return (
 		<header className="header-bar">
 			<nav className="left">
-				<HeaderButton name="Maps" href=""/>
+				<HeaderButton name="Submissions" href="/submissions"/>
 			</nav>
 			<nav className="right">
-				<HeaderButton name="Home" href=""/>
+				<HeaderButton name="Submit" href="/submit"/>
 				<HeaderButton name="Need" href=""/>
 				<HeaderButton name="Menu" href=""/>
 				<HeaderButton name="Items" href=""/>
--- a/web/src/app/_components/styles/header.scss
+++ b/web/src/app/_components/styles/header.scss
@@ -2,8 +2,8 @@
 	display: flex;
 	justify-content: space-between;
 	align-items: center;
-	width: 100vw;
-	height: 60px;
+	width: 100%;
+	height: var(--header-height);
 	background: var(--header-grad-left);
 	background: linear-gradient(180deg, var(--header-grad-left) 0%, var(--header-grad-right) 100%);

@@ -24,7 +24,7 @@
 	.right {
 		display: flex;
 		gap: 7px;
-		margin-right: 50px;
+		margin-right: 35px;

 		button {
 			font-size: 1rem;
--- a/web/src/app/_components/webpage.tsx
+++ b/web/src/app/_components/webpage.tsx
@@ -1,8 +1,27 @@
+"use client"
+
+import { redirect } from "next/navigation";
+import { useEffect } from "react";
+
 import Header from "./header";

+async function login_check() {
+	const response = await fetch("/api/session/validate")
+	if (response.ok) {
+		const logged_in = await response.json()
+		if (!logged_in) {
+			redirect("https://auth.staging.strafes.net/oauth2/login?redirect=" + window.location.href)
+		}
+	} else {
+		console.error("No response from /api/session/validate")
+	}
+}
+
 export default function Webpage({children}: Readonly<{children?: React.ReactNode}>) {
-    return (<>
-        <Header/>
-        {children}
-    </>)
-}
+	useEffect(() => { login_check() }, [])
+
+	return <>
+		<Header/>
+		{children}
+	</>
+}
--- a/web/src/app/globals.scss
+++ b/web/src/app/globals.scss
@@ -10,6 +10,8 @@ $form-label-fontsize: 1.3rem;
 :root {
 	color-scheme: light dark;

+	--header-height: 45px;
+
 	--page:                white;
 	--header-grad-left:    #363b40;
 	--header-grad-right:   #353a40;
--- a/web/src/app/submissions/(styles)/page.scss
+++ b/web/src/app/submissions/(styles)/page.scss
@@ -0,0 +1,75 @@
+@forward "./page/card.scss";
+
+@use "../../globals.scss";
+
+a {
+	color:rgb(255, 255, 255);
+
+	&:visited, &:hover, &:focus {
+		text-decoration: none;
+		color: rgb(255, 255, 255);
+	}
+	&:active {
+		color: rgb(192, 192, 192)
+	}
+}
+
+.grid {
+	display: grid;
+	grid-template-columns: repeat(auto-fit, minmax(220px, 1fr));
+	grid-template-rows: repeat(3, 1fr);
+	gap: 16px;
+	max-width: 100%;
+	margin: 0 auto;
+	overflow-x: hidden;
+	box-sizing: border-box;
+}
+
+@media (max-width: 768px) {
+	.grid {
+		grid-template-columns: repeat(auto-fit, minmax(180px, 1fr));
+	}
+}
+
+.pagination {
+	display: flex;
+	justify-content: center;
+	align-items: center;
+	gap: 1rem;
+	margin: 0.3rem;
+}
+
+.pagination button {
+	padding: 0.25rem 0.5rem;
+	font-size: 1.15rem;
+	border: none;
+	border-radius: 0.35rem;
+	background-color: #33333350;
+	color: #fff;
+	cursor: pointer;
+}
+
+.pagination button:disabled {
+	background-color: #5555559a;
+	cursor: not-allowed;
+}
+
+.pagination-dots {
+	display: flex;
+	flex-wrap: wrap;
+	gap: 0.35rem;
+	justify-content: center;
+	width: 100%;
+}
+
+.dot {
+	width: 10px;
+	height: 10px;
+	border-radius: 50%;
+	background-color: #bbb;
+	cursor: pointer;
+}
+
+.dot.active {
+	background-color: #333;
+}
--- a/web/src/app/submissions/(styles)/page/card.scss
+++ b/web/src/app/submissions/(styles)/page/card.scss
@@ -0,0 +1,87 @@
+@use "../../../globals.scss";
+
+.submissionCard {
+	display: flex;
+	background-color: #2020207c;
+	border: 1px solid #97979783;
+	border-radius: 10px;
+	box-sizing: border-box;
+	flex-direction: column;
+	justify-content: space-between;
+	height: 100%;
+	min-width: 180px;
+	max-width: 340px;
+}
+
+.content {
+	display: flex;
+	flex-grow: 1;
+	flex-direction: column;
+	justify-content: space-between;
+}
+
+.details {
+	padding: 2px 4px;
+}
+
+.header {
+	display: flex;
+	justify-content: space-between;
+	align-items: center;
+	margin: 3px 0px;
+}
+
+.footer {
+	display: flex;
+	justify-content: space-between;
+	align-items: center;
+	margin: 3px 0px;
+}
+
+.map-image {
+	border-radius: 10px 10px 0 0;
+	overflow: hidden;
+
+	> img {
+		width: 100%;
+		height: 100%;
+		object-fit: cover;
+	}
+}
+
+.displayName {
+	font-size: 1rem;
+	font-weight: bold;
+	overflow: hidden;
+	max-width: 70%;
+	text-overflow: ellipsis;
+	white-space: nowrap;
+}
+
+.rating {
+	flex-shrink: 0;
+}
+
+.author {
+	display: flex;
+	align-items: center;
+	gap: 0.5rem;
+	flex-grow: 1;
+	min-width: 0;
+}
+
+.author span {
+	white-space: nowrap;
+	overflow: hidden;
+	text-overflow: ellipsis;
+}
+
+.rating {
+	margin-left: auto;
+	flex-shrink: 0;
+}
+
+.avatar {
+	border-radius: 50%;
+	object-fit: cover;
+}
--- a/Show More
+++ b/Show More