[{"data":1,"prerenderedAt":778},["ShallowReactive",2],{"navigation_docs":3,"-apps-csp-and-wiring":282,"-apps-csp-and-wiring-surround":773},[4,40,70,99,122,156,189,253],{"title":5,"path":6,"stem":7,"children":8,"page":39},"Getting Started","\u002Fgetting-started","1.getting-started",[9,14,19,24,29,34],{"title":10,"path":11,"stem":12,"icon":13},"Introduction","\u002Fgetting-started\u002Fintroduction","1.getting-started\u002F1.introduction","i-lucide-book-open",{"title":15,"path":16,"stem":17,"icon":18},"Installation","\u002Fgetting-started\u002Finstallation","1.getting-started\u002F2.installation","i-lucide-download",{"title":20,"path":21,"stem":22,"icon":23},"Configuration","\u002Fgetting-started\u002Fconfiguration","1.getting-started\u002F3.configuration","i-lucide-settings",{"title":25,"path":26,"stem":27,"icon":28},"Inspector","\u002Fgetting-started\u002Finspector","1.getting-started\u002F4.inspector","i-lucide-circuit-board",{"title":30,"path":31,"stem":32,"icon":33},"Connection","\u002Fgetting-started\u002Fconnection","1.getting-started\u002F5.connection","i-lucide-plug",{"title":35,"path":36,"stem":37,"icon":38},"Agent Skills","\u002Fgetting-started\u002Fagent-skills","1.getting-started\u002F6.agent-skills","i-lucide-sparkles",false,{"title":41,"path":42,"stem":43,"children":44,"page":39},"Tools","\u002Ftools","2.tools",[45,50,55,60,65],{"title":46,"path":47,"stem":48,"icon":49},"Overview","\u002Ftools\u002Foverview","2.tools\u002F0.overview","i-lucide-wrench",{"title":51,"path":52,"stem":53,"icon":54},"Schema, handler & returns","\u002Ftools\u002Fschema-handler","2.tools\u002F1.schema-handler","i-lucide-braces",{"title":56,"path":57,"stem":58,"icon":59},"Annotations & input examples","\u002Ftools\u002Fannotations","2.tools\u002F2.annotations","i-lucide-badge-info",{"title":61,"path":62,"stem":63,"icon":64},"Errors & caching","\u002Ftools\u002Ferrors-caching","2.tools\u002F3.errors-caching","i-lucide-shield",{"title":66,"path":67,"stem":68,"icon":69},"Groups, files & dynamic registration","\u002Ftools\u002Fgroups-organization","2.tools\u002F4.groups-organization","i-lucide-tags",{"title":71,"path":72,"stem":73,"children":74,"page":39},"Resources","\u002Fresources","3.resources",[75,79,84,89,94],{"title":46,"path":76,"stem":77,"icon":78},"\u002Fresources\u002Foverview","3.resources\u002F0.overview","i-lucide-package",{"title":80,"path":81,"stem":82,"icon":83},"Static resources & structure","\u002Fresources\u002Fstatic-and-structure","3.resources\u002F1.static-and-structure","i-lucide-file-stack",{"title":85,"path":86,"stem":87,"icon":88},"Templates & handlers","\u002Fresources\u002Ftemplates-and-handlers","3.resources\u002F2.templates-and-handlers","i-lucide-git-branch",{"title":90,"path":91,"stem":92,"icon":93},"Metadata, content & errors","\u002Fresources\u002Fcontent-metadata-errors","3.resources\u002F3.content-metadata-errors","i-lucide-layers",{"title":95,"path":96,"stem":97,"icon":98},"Groups & organization","\u002Fresources\u002Forganization","3.resources\u002F4.organization","i-lucide-folder-tree",{"title":100,"path":101,"stem":102,"children":103,"page":39},"Prompts","\u002Fprompts","4.prompts",[104,108,113,117],{"title":46,"path":105,"stem":106,"icon":107},"\u002Fprompts\u002Foverview","4.prompts\u002F0.overview","i-lucide-message-square",{"title":109,"path":110,"stem":111,"icon":112},"Authoring & structure","\u002Fprompts\u002Fauthoring","4.prompts\u002F1.authoring","i-lucide-pen-line",{"title":114,"path":115,"stem":116,"icon":93},"Input, handler & messages","\u002Fprompts\u002Finput-handler-messages","4.prompts\u002F2.input-handler-messages",{"title":118,"path":119,"stem":120,"icon":121},"Patterns & advanced","\u002Fprompts\u002Fpatterns-advanced","4.prompts\u002F3.patterns-advanced","i-lucide-line-chart",{"title":123,"path":124,"stem":125,"children":126,"page":39},"Handlers","\u002Fhandlers","5.handlers",[127,131,136,141,146,151],{"title":46,"path":128,"stem":129,"icon":130},"\u002Fhandlers\u002Foverview","5.handlers\u002F0.overview","i-lucide-server",{"title":132,"path":133,"stem":134,"icon":135},"Default & custom handlers","\u002Fhandlers\u002Fdefault-and-custom","5.handlers\u002F1.default-and-custom","i-lucide-toggle-left",{"title":137,"path":138,"stem":139,"icon":140},"Structure & options","\u002Fhandlers\u002Fstructure-and-options","5.handlers\u002F2.structure-and-options","i-lucide-sliders-horizontal",{"title":142,"path":143,"stem":144,"icon":145},"Examples & routing","\u002Fhandlers\u002Fexamples-routing","5.handlers\u002F3.examples-routing","i-lucide-route",{"title":147,"path":148,"stem":149,"icon":150},"Sharing & practices","\u002Fhandlers\u002Fsharing-practices","5.handlers\u002F4.sharing-practices","i-lucide-share-2",{"title":152,"path":153,"stem":154,"icon":155},"Multi-handler organization","\u002Fhandlers\u002Forganization","5.handlers\u002F5.organization","i-lucide-network",{"title":157,"path":158,"stem":159,"children":160,"page":39},"Apps","\u002Fapps","6.apps",[161,165,170,175,179,184],{"title":46,"path":162,"stem":163,"icon":164},"\u002Fapps\u002Foverview","6.apps\u002F0.overview","i-lucide-app-window",{"title":166,"path":167,"stem":168,"icon":169},"Authoring & defineMcpApp","\u002Fapps\u002Fauthoring","6.apps\u002F1.authoring","i-lucide-code-2",{"title":171,"path":172,"stem":173,"icon":174},"useMcpApp() bridge","\u002Fapps\u002Fuse-mcp-app","6.apps\u002F2.use-mcp-app","i-lucide-message-circle",{"title":176,"path":177,"stem":178,"icon":64},"CSP & build pipeline","\u002Fapps\u002Fcsp-and-wiring","6.apps\u002F3.csp-and-wiring",{"title":180,"path":181,"stem":182,"icon":183},"Testing & publishing","\u002Fapps\u002Ftesting-publishing","6.apps\u002F4.testing-publishing","i-lucide-rocket",{"title":185,"path":186,"stem":187,"icon":188},"Patterns & limits","\u002Fapps\u002Fpatterns-reference","6.apps\u002F5.patterns-reference","i-lucide-book-marked",{"title":190,"path":191,"stem":192,"children":193,"page":39},"Advanced Topics","\u002Fadvanced","7.advanced",[194,199,204,209,214,218,223,228,233,238,243,248],{"title":195,"path":196,"stem":197,"icon":198},"Custom Paths","\u002Fadvanced\u002Fcustom-paths","7.advanced\u002F1.custom-paths","i-lucide-folder",{"title":200,"path":201,"stem":202,"icon":203},"Logging","\u002Fadvanced\u002Flogging","7.advanced\u002F10.logging","i-lucide-scroll-text",{"title":205,"path":206,"stem":207,"icon":208},"MCP Apps Internals","\u002Fadvanced\u002Fmcp-apps-internals","7.advanced\u002F11.mcp-apps-internals","i-lucide-cog",{"title":210,"path":211,"stem":212,"icon":213},"Listing Definitions","\u002Fadvanced\u002Flisting-definitions","7.advanced\u002F12.listing-definitions","i-lucide-list",{"title":215,"path":216,"stem":217,"icon":64},"Middleware","\u002Fadvanced\u002Fmiddleware","7.advanced\u002F2.middleware",{"title":219,"path":220,"stem":221,"icon":222},"TypeScript","\u002Fadvanced\u002Ftypescript","7.advanced\u002F3.typescript","i-lucide-type",{"title":224,"path":225,"stem":226,"icon":227},"Hooks","\u002Fadvanced\u002Fhooks","7.advanced\u002F4.hooks","i-lucide-webhook",{"title":229,"path":230,"stem":231,"icon":232},"MCP Evals","\u002Fadvanced\u002Fevals","7.advanced\u002F5.evals","i-lucide-flask-conical",{"title":234,"path":235,"stem":236,"icon":237},"Sessions","\u002Fadvanced\u002Fsessions","7.advanced\u002F6.sessions","i-lucide-database",{"title":239,"path":240,"stem":241,"icon":242},"Dynamic Definitions","\u002Fadvanced\u002Fdynamic-definitions","7.advanced\u002F7.dynamic-definitions","i-lucide-toggle-right",{"title":244,"path":245,"stem":246,"icon":247},"Code Mode","\u002Fadvanced\u002Fcode-mode","7.advanced\u002F8.code-mode","i-lucide-code",{"title":249,"path":250,"stem":251,"icon":252},"Elicitation","\u002Fadvanced\u002Felicitation","7.advanced\u002F9.elicitation","i-lucide-message-square-quote",{"title":254,"path":255,"stem":256,"children":257,"page":39},"Examples","\u002Fexamples","8.examples",[258,263,268,273,278],{"title":259,"path":260,"stem":261,"icon":262},"Authentication","\u002Fexamples\u002Fauthentication","8.examples\u002F1.authentication","i-lucide-shield-check",{"title":264,"path":265,"stem":266,"icon":267},"API Integration","\u002Fexamples\u002Fapi-integration","8.examples\u002F2.api-integration","i-lucide-globe",{"title":269,"path":270,"stem":271,"icon":272},"Common Patterns","\u002Fexamples\u002Fcommon-patterns","8.examples\u002F3.common-patterns","i-lucide-lightbulb",{"title":274,"path":275,"stem":276,"icon":277},"File Operations","\u002Fexamples\u002Ffile-operations","8.examples\u002F4.file-operations","i-lucide-file",{"title":279,"path":280,"stem":281,"icon":107},"Prompt Examples","\u002Fexamples\u002Fprompt-examples","8.examples\u002F5.prompt-examples",{"id":283,"title":176,"body":284,"description":764,"extension":765,"links":766,"meta":767,"navigation":768,"path":177,"seo":769,"stem":178,"__hash__":772},"docs\u002F6.apps\u002F3.csp-and-wiring.md",{"type":285,"value":286,"toc":760},"minimark",[287,292,301,319,322,564,575,584,646,657,661,672,702,705,747,756],[288,289,291],"h2",{"id":290},"csp-resource-allow-lists","CSP & Resource Allow-Lists",[293,294,295,296,300],"p",{},"The toolkit injects a ",[297,298,299],"strong",{},"conservative Content Security Policy"," into every app HTML. By default the iframe can:",[302,303,304,308,311],"ul",{},[305,306,307],"li",{},"Run only its own inline script.",[305,309,310],{},"Render images and styles only from the same response.",[305,312,313,314,318],{},"Talk over ",[315,316,317],"code",{},"postMessage"," to its parent host.",[293,320,321],{},"If your UI needs external assets or APIs, allow them explicitly:",[323,324,330],"pre",{"className":325,"code":326,"filename":327,"language":328,"meta":329,"style":329},"language-vue shiki shiki-themes material-theme-lighter material-theme material-theme-palenight","\u003Cscript setup lang=\"ts\">\ndefineMcpApp({\n  description: 'Pick a colour and preview a palette.',\n  csp: {\n    resourceDomains: ['https:\u002F\u002Fimages.unsplash.com'],\n    connectDomains: ['https:\u002F\u002Fapi.example.com'],\n  },\n  handler: async ({ base }) => ({ structuredContent: await $fetch('\u002Fapi\u002Fpalette', { query: { base } }) }),\n})\n\u003C\u002Fscript>\n","app\u002Fmcp\u002Fcolor-picker.vue","vue","",[315,331,332,367,381,402,413,436,457,463,546,554],{"__ignoreMap":329},[333,334,337,341,345,349,352,355,358,362,364],"span",{"class":335,"line":336},"line",1,[333,338,340],{"class":339},"sMK4o","\u003C",[333,342,344],{"class":343},"swJcz","script",[333,346,348],{"class":347},"spNyl"," setup",[333,350,351],{"class":347}," lang",[333,353,354],{"class":339},"=",[333,356,357],{"class":339},"\"",[333,359,361],{"class":360},"sfazB","ts",[333,363,357],{"class":339},[333,365,366],{"class":339},">\n",[333,368,370,374,378],{"class":335,"line":369},2,[333,371,373],{"class":372},"s2Zo4","defineMcpApp",[333,375,377],{"class":376},"sTEyZ","(",[333,379,380],{"class":339},"{\n",[333,382,384,387,390,393,396,399],{"class":335,"line":383},3,[333,385,386],{"class":343},"  description",[333,388,389],{"class":339},":",[333,391,392],{"class":339}," '",[333,394,395],{"class":360},"Pick a colour and preview a palette.",[333,397,398],{"class":339},"'",[333,400,401],{"class":339},",\n",[333,403,405,408,410],{"class":335,"line":404},4,[333,406,407],{"class":343},"  csp",[333,409,389],{"class":339},[333,411,412],{"class":339}," {\n",[333,414,416,419,421,424,426,429,431,434],{"class":335,"line":415},5,[333,417,418],{"class":343},"    resourceDomains",[333,420,389],{"class":339},[333,422,423],{"class":376}," [",[333,425,398],{"class":339},[333,427,428],{"class":360},"https:\u002F\u002Fimages.unsplash.com",[333,430,398],{"class":339},[333,432,433],{"class":376},"]",[333,435,401],{"class":339},[333,437,439,442,444,446,448,451,453,455],{"class":335,"line":438},6,[333,440,441],{"class":343},"    connectDomains",[333,443,389],{"class":339},[333,445,423],{"class":376},[333,447,398],{"class":339},[333,449,450],{"class":360},"https:\u002F\u002Fapi.example.com",[333,452,398],{"class":339},[333,454,433],{"class":376},[333,456,401],{"class":339},[333,458,460],{"class":335,"line":459},7,[333,461,462],{"class":339},"  },\n",[333,464,466,469,471,474,477,481,484,487,490,493,496,498,502,505,507,509,512,514,517,520,523,525,527,530,533,536,539,541,544],{"class":335,"line":465},8,[333,467,468],{"class":372},"  handler",[333,470,389],{"class":339},[333,472,473],{"class":347}," async",[333,475,476],{"class":339}," ({",[333,478,480],{"class":479},"sHdIc"," base",[333,482,483],{"class":339}," })",[333,485,486],{"class":347}," =>",[333,488,489],{"class":376}," (",[333,491,492],{"class":339},"{",[333,494,495],{"class":343}," structuredContent",[333,497,389],{"class":339},[333,499,501],{"class":500},"s7zQu"," await",[333,503,504],{"class":372}," $fetch",[333,506,377],{"class":376},[333,508,398],{"class":339},[333,510,511],{"class":360},"\u002Fapi\u002Fpalette",[333,513,398],{"class":339},[333,515,516],{"class":339},",",[333,518,519],{"class":339}," {",[333,521,522],{"class":343}," query",[333,524,389],{"class":339},[333,526,519],{"class":339},[333,528,529],{"class":376}," base ",[333,531,532],{"class":339},"}",[333,534,535],{"class":339}," }",[333,537,538],{"class":376},") ",[333,540,532],{"class":339},[333,542,543],{"class":376},")",[333,545,401],{"class":339},[333,547,549,551],{"class":335,"line":548},9,[333,550,532],{"class":339},[333,552,553],{"class":376},")\n",[333,555,557,560,562],{"class":335,"line":556},10,[333,558,559],{"class":339},"\u003C\u002F",[333,561,344],{"class":343},[333,563,366],{"class":339},[293,565,566,567,570,571,574],{},"The CSP is mirrored into ",[315,568,569],{},"_meta.ui.csp"," (and ",[315,572,573],{},"openai\u002FwidgetCSP"," for ChatGPT) so hosts that enforce CSP at the iframe level pick up the same rules.",[576,577,579,580,583],"callout",{"color":578,"icon":64},"warning","Pass ",[315,581,582],{},"csp: false"," only as a last resort — and only if you fully control the assets the iframe loads. The default policy is what makes apps safe to render across hosts.",[585,586,587,600],"table",{},[588,589,590],"thead",{},[591,592,593,597],"tr",{},[594,595,596],"th",{},"Field",[594,598,599],{},"What it allows",[601,602,603,624],"tbody",{},[591,604,605,611],{},[606,607,608],"td",{},[315,609,610],{},"resourceDomains",[606,612,613,616,617,616,620,623],{},[315,614,615],{},"\u003Cimg>",", ",[315,618,619],{},"\u003Cstyle>",[315,621,622],{},"\u003Clink>",", fonts loaded from these origins",[591,625,626,631],{},[606,627,628],{},[315,629,630],{},"connectDomains",[606,632,633,616,636,616,639,616,642,645],{},[315,634,635],{},"fetch()",[315,637,638],{},"XHR",[315,640,641],{},"WebSocket",[315,643,644],{},"EventSource"," to these origins",[293,647,648,649,652,653,656],{},"Origins should use ",[315,650,651],{},"http(s):\u002F\u002F"," or ",[315,654,655],{},"ws(s):\u002F\u002F",". The toolkit rejects empty values, unsupported URL schemes, whitespace, quotes, and semicolons before the app response is served.",[288,658,660],{"id":659},"how-its-wired","How It's Wired",[293,662,663,664,667,668,671],{},"Behind the scenes, each ",[315,665,666],{},".vue"," file under the configured apps directory becomes ",[297,669,670],{},"three artifacts"," at build time:",[673,674,675,682,696],"ol",{},[305,676,677,678,681],{},"A ",[297,679,680],{},"tool definition"," registered on your MCP handler (input schema, description, server handler).",[305,683,677,684,687,688,691,692,695],{},[297,685,686],{},"UI resource"," at ",[315,689,690],{},"ui:\u002F\u002Fmcp-app\u002F\u003Cname>"," returning ",[315,693,694],{},"text\u002Fhtml;profile=mcp-app",".",[305,697,677,698,701],{},[297,699,700],{},"single-file HTML bundle"," of the Vue SFC (Vue runtime, your code, scoped CSS, assets) inlined into the resource response.",[293,703,704],{},"When the LLM calls the tool:",[673,706,707,717,723,734],{},[305,708,709,710,713,714,695],{},"Your ",[315,711,712],{},"handler"," runs on the server and produces ",[315,715,716],{},"structuredContent",[305,718,719,720,695],{},"The toolkit injects that data into the bundled HTML as ",[315,721,722],{},"\u003Cscript type=\"application\u002Fjson\" id=\"__mcp_app_data__\">…\u003C\u002Fscript>",[305,724,725,726,729,730,733],{},"The host returns the resource to the user; its iframe boots and ",[315,727,728],{},"useMcpApp()"," reads the inline data into ",[315,731,732],{},"data"," synchronously.",[305,735,736,737,616,740,616,743,746],{},"From there, the iframe and the host exchange messages over a JSON-RPC bridge for ",[315,738,739],{},"callTool",[315,741,742],{},"sendPrompt",[315,744,745],{},"openLink",", and theme\u002Fsize updates.",[576,748,751,752,755],{"color":749,"icon":750},"primary","i-lucide-zap","Everything ships in ",[297,753,754],{},"one HTML response",". No extra HTTP request from the iframe, no waterfall, no flicker.",[757,758,759],"style",{},"html pre.shiki code .sMK4o, html code.shiki .sMK4o{--shiki-light:#39ADB5;--shiki-default:#89DDFF;--shiki-dark:#89DDFF}html pre.shiki code .swJcz, html code.shiki .swJcz{--shiki-light:#E53935;--shiki-default:#F07178;--shiki-dark:#F07178}html pre.shiki code .spNyl, html code.shiki .spNyl{--shiki-light:#9C3EDA;--shiki-default:#C792EA;--shiki-dark:#C792EA}html pre.shiki code .sfazB, html code.shiki .sfazB{--shiki-light:#91B859;--shiki-default:#C3E88D;--shiki-dark:#C3E88D}html pre.shiki code .s2Zo4, html code.shiki .s2Zo4{--shiki-light:#6182B8;--shiki-default:#82AAFF;--shiki-dark:#82AAFF}html pre.shiki code .sTEyZ, html code.shiki .sTEyZ{--shiki-light:#90A4AE;--shiki-default:#EEFFFF;--shiki-dark:#BABED8}html pre.shiki code .sHdIc, html code.shiki .sHdIc{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#EEFFFF;--shiki-default-font-style:italic;--shiki-dark:#BABED8;--shiki-dark-font-style:italic}html pre.shiki code .s7zQu, html code.shiki .s7zQu{--shiki-light:#39ADB5;--shiki-light-font-style:italic;--shiki-default:#89DDFF;--shiki-default-font-style:italic;--shiki-dark:#89DDFF;--shiki-dark-font-style:italic}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}",{"title":329,"searchDepth":369,"depth":369,"links":761},[762,763],{"id":290,"depth":369,"text":291},{"id":659,"depth":369,"text":660},"Content Security Policy, allow-listed domains, and how HTML bundles are produced.","md",null,{},{"icon":64},{"title":770,"description":771},"MCP Apps — CSP & wiring","iframe CSP, external assets, and the build pipeline for MCP UI resources.","MwH9uAcFyCGJauuZqpXoURyvbJKcNGBSF-v-00hjJQM",[774,776],{"title":171,"path":172,"stem":173,"description":775,"icon":174,"children":-1},"data, hostContext, sendPrompt, callTool, and openLink from inside the iframe.",{"title":180,"path":181,"stem":182,"description":777,"icon":183,"children":-1},"Test MCP Apps locally, pick a compatible host, and ship HTTPS endpoints for ChatGPT, Claude, and IDE clients.",1777888634615]