feat: add skybridge integration #140
Draft
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
infoxicator
commented
Oct 27, 2025
Author
There was a problem hiding this comment.
infoxicator
commented
Oct 27, 2025
| inner.setAttribute('sandbox', sandbox); | ||
| } | ||
| if (typeof html === 'string') { | ||
| inner.srcdoc = html; |
Author
There was a problem hiding this comment.
the key was to use document.write() instead of srcdoc.
srcdoc changes the root url and breaks client side navigation.
inner.src: 'about:blank'
and document.write() do the trick
infoxicator
commented
Oct 27, 2025
Author
There was a problem hiding this comment.
@idosal you recently added the double proxy. what client was that for? I don't think this is a breaking change since it is the code clients need to add to their CDN anyway but curious if you tested the previous implementation
Collaborator
There was a problem hiding this comment.
It's not used in production yet, so we can change it.
infoxicator
commented
Oct 27, 2025
| 'rawHtml', | ||
| 'externalUrl', | ||
| 'remoteDom', | ||
| 'skybridge', |
Author
infoxicator
commented
Oct 27, 2025
| htmlString?: string; | ||
| }; | ||
|
|
||
| const apiScript = ( |
Author
Collaborator
There was a problem hiding this comment.
I'd move this to a different file, or ideally bundle it (similarly to how we handle the server adapter).
infoxicator
commented
Oct 27, 2025
| } | ||
|
|
||
| if (resource.mimeType === 'text/html+skybridge') { | ||
| const widgetStateKey = `openai-widget-state:${toolName}:`; |
Author
There was a problem hiding this comment.
This is the main thing I am not sure about. Is the widgetState persisted per tool invocation or per widget? if it is per widget this works but if it is per invocation then we need the host to pass something like a toolId or unique identifier.
infoxicator
commented
Oct 27, 2025
Author
Author
|
UiResourceRenderer interface change infoxicator#2 |
matteo8p
reviewed
Oct 28, 2025
| theme: 'dark', | ||
| locale: 'en-US', | ||
| safeArea: { insets: { top: 0, bottom: 0, left: 0, right: 0 } }, | ||
| userAgent: {}, |
There was a problem hiding this comment.
We have userAgent set to
{
device: { type: 'desktop' },
capabilities: { hover: true, touch: false }
}
cc: @chelojimenez what was the reason we had userAgent set to this?
matteo8p
reviewed
Oct 28, 2025
| toolResponseMetadata: ${JSON.stringify(toolResponseMetadata ?? null)}, | ||
| displayMode: 'inline', | ||
| maxHeight: 600, | ||
| theme: 'dark', |
There was a problem hiding this comment.
Set theme to be dynamic. User should be able to toggle the theme. Pass in a theme: "light" | "dark" to the api.
idosal
reviewed
Nov 1, 2025
Comment on lines
13
to
15
| toolInput?: Record<string, unknown>; | ||
| toolName?: string; | ||
| toolResponseMetadata?: Record<string, unknown>; |
Collaborator
There was a problem hiding this comment.
@infoxicator WDYT about formalizing these fields to be in the render data?
Author
Author
There was a problem hiding this comment.
Been working on shipping the postman integration. But still giving this some thought. I like the new props jsut ensuring they align with mcp-ui and all the other resource types not just chatgpt.
For example. ToolResponse and widget state in the context of chatgpt is the initial data. but I think there might be a case where we would like to pass arbitrary data to a widget that are not those. Currently I am merging them. into a single object for chatgpt but considering all the implications of that.
Maybe is safer just to keep them separate?
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
7 issues found across 19 files
Prompt for AI agents (all 7 issues)
Understand the root cause of the following 7 issues and fix them.
<file name="sdks/typescript/client/src/adapters/appssdk/open-ai-script.ts">
<violation number="1" location="sdks/typescript/client/src/adapters/appssdk/open-ai-script.ts:39">
Escape the serialized config before inlining it so that user-provided values cannot terminate the script tag and execute arbitrary JavaScript.</violation>
</file>
<file name="sdks/typescript/client/src/utils/__tests__/processResource.test.ts">
<violation number="1" location="sdks/typescript/client/src/utils/__tests__/processResource.test.ts:342">
The injected config is JSON-stringified, so the HTML contains `"toolInput":{"foo":"bar"}` with quoted keys—`'toolInput: {"foo":"bar"}'` never appears and this assertion will fail. Update this and the other similar expectations in the block to match the JSON string.</violation>
<violation number="2" location="sdks/typescript/client/src/utils/__tests__/processResource.test.ts:353">
The script only serializes the provided capabilities object, so with `{ hover: false }` the HTML contains `"capabilities":{"hover":false}`—there is no `touch` entry, making this assertion fail.</violation>
<violation number="3" location="sdks/typescript/client/src/utils/__tests__/processResource.test.ts:370">
Because the injected config is JSON output, the HTML includes `"toolOutput":{"fallback":true}` rather than `toolOutput: {…}`. This assertion will always fail and should match the JSON-formatted substring.</violation>
</file>
<file name="README.md">
<violation number="1" location="README.md:102">
`htmlProps` cannot accept these context props, so the README guidance to pass them there is incorrect. Please remove or revise that sentence.</violation>
</file>
<file name="docs/src/guide/client/html-resource.md">
<violation number="1" location="docs/src/guide/client/html-resource.md:46">
The docs state that `mcpContextProps.toolOutput` merges with `iframeRenderData`, but `processHTMLResource` simply overrides `initialRenderData` when `toolOutput` exists, so no merge occurs. Please update the description to reflect the actual override behavior.</violation>
</file>
<file name="sdks/typescript/client/src/utils/processResource.ts">
<violation number="1" location="sdks/typescript/client/src/utils/processResource.ts:188">
Skybridge HTML without a <html> tag never gets the runtime script injected, so those resources fail to initialize. Please add a fallback that prepends the script when neither <head> nor <html> is present.</violation>
</file>
Since this is your first cubic review, here's how it works:
- cubic automatically reviews your code and comments on bugs and improvements
- Teach cubic by replying to its comments. cubic learns from your replies and gets better over time
- Ask questions if you need clarification on any suggestion
React with 👍 or 👎 to teach cubic. Mention @cubic-dev-ai to give feedback, ask questions, or re-run the review.
| }); | ||
|
|
||
| expect(result.error).toBeUndefined(); | ||
| expect(result.htmlString).toContain('toolOutput: {"fallback":true}'); |
There was a problem hiding this comment.
Because the injected config is JSON output, the HTML includes "toolOutput":{"fallback":true} rather than toolOutput: {…}. This assertion will always fail and should match the JSON-formatted substring.
Prompt for AI agents
Address the following comment on sdks/typescript/client/src/utils/__tests__/processResource.test.ts at line 370:
<comment>Because the injected config is JSON output, the HTML includes `"toolOutput":{"fallback":true}` rather than `toolOutput: {…}`. This assertion will always fail and should match the JSON-formatted substring.</comment>
<file context>
@@ -309,6 +309,66 @@ describe('processHTMLResource', () => {
+ });
+
+ expect(result.error).toBeUndefined();
+ expect(result.htmlString).toContain('toolOutput: {"fallback":true}');
+ });
});
</file context>
Suggested change
| expect(result.htmlString).toContain('toolOutput: {"fallback":true}'); | |
| expect(result.htmlString).toContain('"toolOutput":{"fallback":true}'); |
| expect(result.htmlString).toContain('displayMode: "overlay"'); | ||
| expect(result.htmlString).toContain('maxHeight: 720'); | ||
| expect(result.htmlString).toContain('"insets":{"top":10,"bottom":20,"left":0,"right":5}'); | ||
| expect(result.htmlString).toContain('capabilities: {"hover":false,"touch":false}'); |
There was a problem hiding this comment.
The script only serializes the provided capabilities object, so with { hover: false } the HTML contains "capabilities":{"hover":false}—there is no touch entry, making this assertion fail.
Prompt for AI agents
Address the following comment on sdks/typescript/client/src/utils/__tests__/processResource.test.ts at line 353:
<comment>The script only serializes the provided capabilities object, so with `{ hover: false }` the HTML contains `"capabilities":{"hover":false}`—there is no `touch` entry, making this assertion fail.</comment>
<file context>
@@ -309,6 +309,66 @@ describe('processHTMLResource', () => {
+ expect(result.htmlString).toContain('displayMode: "overlay"');
+ expect(result.htmlString).toContain('maxHeight: 720');
+ expect(result.htmlString).toContain('"insets":{"top":10,"bottom":20,"left":0,"right":5}');
+ expect(result.htmlString).toContain('capabilities: {"hover":false,"touch":false}');
+ });
+
</file context>
Suggested change
| expect(result.htmlString).toContain('capabilities: {"hover":false,"touch":false}'); | |
| expect(result.htmlString).toContain('"capabilities":{"hover":false}'); |
|
|
||
| expect(result.error).toBeUndefined(); | ||
| expect(result.htmlString).toContain('openai-widget-state:demo-tool:'); | ||
| expect(result.htmlString).toContain('toolInput: {"foo":"bar"}'); |
There was a problem hiding this comment.
The injected config is JSON-stringified, so the HTML contains "toolInput":{"foo":"bar"} with quoted keys—'toolInput: {"foo":"bar"}' never appears and this assertion will fail. Update this and the other similar expectations in the block to match the JSON string.
Prompt for AI agents
Address the following comment on sdks/typescript/client/src/utils/__tests__/processResource.test.ts at line 342:
<comment>The injected config is JSON-stringified, so the HTML contains `"toolInput":{"foo":"bar"}` with quoted keys—`'toolInput: {"foo":"bar"}'` never appears and this assertion will fail. Update this and the other similar expectations in the block to match the JSON string.</comment>
<file context>
@@ -309,6 +309,66 @@ describe('processHTMLResource', () => {
+
+ expect(result.error).toBeUndefined();
+ expect(result.htmlString).toContain('openai-widget-state:demo-tool:');
+ expect(result.htmlString).toContain('toolInput: {"foo":"bar"}');
+ expect(result.htmlString).toContain('toolOutput: {"override":"yes"}');
+ expect(result.htmlString).toContain('toolResponseMetadata: {"traceId":"abc"}');
</file context>
Suggested change
| expect(result.htmlString).toContain('toolInput: {"foo":"bar"}'); | |
| expect(result.htmlString).toContain('"toolInput":{"foo":"bar"}'); |
README.md
Outdated
| - **`iframeRenderData`**: Optional `Record<string, unknown>` to pass data to the iframe upon rendering. This enables advanced use cases where the parent application needs to provide initial state or configuration to the sandboxed iframe content. | ||
| - **`autoResizeIframe`**: Optional `boolean | { width?: boolean; height?: boolean }` to automatically resize the iframe to the size of the content. | ||
| - **`mcpContextProps`**: Optional MCP invocation context forwarded to HTML resources (e.g., `toolInput`, `toolOutput`, `toolName`, `toolResponseMetadata`). When `toolOutput` is provided, it is merged with `iframeRenderData` for the sandbox payload (with `toolOutput` fields taking precedence). | ||
| - **`clientContextProps`**: Optional host context (e.g., `theme`, `locale`, `userAgent`, `model`, `displayMode`, `maxHeight`, `safeArea`, `capabilities`) exposed to sandboxed HTML content. Both context props can also be supplied via `htmlProps` when you need HTML-specific overrides. `capabilities` defaults to `{ hover: true, touch: false }` when unspecified. |
There was a problem hiding this comment.
htmlProps cannot accept these context props, so the README guidance to pass them there is incorrect. Please remove or revise that sentence.
Prompt for AI agents
Address the following comment on README.md at line 102:
<comment>`htmlProps` cannot accept these context props, so the README guidance to pass them there is incorrect. Please remove or revise that sentence.</comment>
<file context>
@@ -98,6 +98,8 @@ It accepts the following props:
- **`iframeRenderData`**: Optional `Record<string, unknown>` to pass data to the iframe upon rendering. This enables advanced use cases where the parent application needs to provide initial state or configuration to the sandboxed iframe content.
- **`autoResizeIframe`**: Optional `boolean | { width?: boolean; height?: boolean }` to automatically resize the iframe to the size of the content.
+- **`mcpContextProps`**: Optional MCP invocation context forwarded to HTML resources (e.g., `toolInput`, `toolOutput`, `toolName`, `toolResponseMetadata`). When `toolOutput` is provided, it is merged with `iframeRenderData` for the sandbox payload (with `toolOutput` fields taking precedence).
+- **`clientContextProps`**: Optional host context (e.g., `theme`, `locale`, `userAgent`, `model`, `displayMode`, `maxHeight`, `safeArea`, `capabilities`) exposed to sandboxed HTML content. Both context props can also be supplied via `htmlProps` when you need HTML-specific overrides. `capabilities` defaults to `{ hover: true, touch: false }` when unspecified.
- **`remoteDomProps`**: Optional props for the internal `<RemoteDOMResourceRenderer>`
- **`library`**: Optional component library for Remote DOM resources (defaults to `basicComponentLibrary`)
</file context>
Suggested change
| - **`clientContextProps`**: Optional host context (e.g., `theme`, `locale`, `userAgent`, `model`, `displayMode`, `maxHeight`, `safeArea`, `capabilities`) exposed to sandboxed HTML content. Both context props can also be supplied via `htmlProps` when you need HTML-specific overrides. `capabilities` defaults to `{ hover: true, touch: false }` when unspecified. | |
| - **`clientContextProps`**: Optional host context (e.g., `theme`, `locale`, `userAgent`, `model`, `displayMode`, `maxHeight`, `safeArea`, `capabilities`) exposed to sandboxed HTML content. `capabilities` defaults to `{ hover: true, touch: false }` when unspecified. |
| - **`style`**: (Optional) Custom styles for the iframe. | ||
| - **`proxy`**: (Optional) A URL to a proxy script. This is useful for hosts with a strict Content Security Policy (CSP). When provided, external URLs will be rendered in a nested iframe hosted at this URL. For example, if `proxy` is `https://my-proxy.com/`, the final URL will be `https://my-proxy.com/?url=<encoded_original_url>`. For your convenience, mcp-ui hosts a proxy script at `https://proxy.mcpui.dev`, which you can use as a the prop value without any setup (see `examples/external-url-demo`). | ||
| - **`iframeProps`**: (Optional) Custom props for the iframe. | ||
| - **`iframeRenderData`**: (Optional) Additional data merged into the render payload forwarded to the iframe. When `mcpContextProps.toolOutput` is provided, it merges with this data for the sandbox payload (with `toolOutput` fields taking precedence). |
There was a problem hiding this comment.
The docs state that mcpContextProps.toolOutput merges with iframeRenderData, but processHTMLResource simply overrides initialRenderData when toolOutput exists, so no merge occurs. Please update the description to reflect the actual override behavior.
Prompt for AI agents
Address the following comment on docs/src/guide/client/html-resource.md at line 46:
<comment>The docs state that `mcpContextProps.toolOutput` merges with `iframeRenderData`, but `processHTMLResource` simply overrides `initialRenderData` when `toolOutput` exists, so no merge occurs. Please update the description to reflect the actual override behavior.</comment>
<file context>
@@ -40,6 +43,8 @@ The component accepts the following props:
- **`style`**: (Optional) Custom styles for the iframe.
- **`proxy`**: (Optional) A URL to a proxy script. This is useful for hosts with a strict Content Security Policy (CSP). When provided, external URLs will be rendered in a nested iframe hosted at this URL. For example, if `proxy` is `https://my-proxy.com/`, the final URL will be `https://my-proxy.com/?url=<encoded_original_url>`. For your convenience, mcp-ui hosts a proxy script at `https://proxy.mcpui.dev`, which you can use as a the prop value without any setup (see `examples/external-url-demo`).
- **`iframeProps`**: (Optional) Custom props for the iframe.
+- **`iframeRenderData`**: (Optional) Additional data merged into the render payload forwarded to the iframe. When `mcpContextProps.toolOutput` is provided, it merges with this data for the sandbox payload (with `toolOutput` fields taking precedence).
+- **`clientContextProps`**: (Optional) Host configuration forwarded to the sandboxed HTML (supports `theme`, `locale`, `userAgent`, `model`, `displayMode`, `maxHeight`, `safeArea`, and `capabilities`). When omitted, defaults are applied—`capabilities` defaults to `{ hover: true, touch: false }`.
- **`autoResizeIframe`**: (Optional) When enabled, the iframe will automatically resize based on messages from the iframe's content. This prop can be a boolean (to enable both width and height resizing) or an object (`{width?: boolean, height?: boolean}`) to control dimensions independently.
</file context>
Suggested change
| - **`iframeRenderData`**: (Optional) Additional data merged into the render payload forwarded to the iframe. When `mcpContextProps.toolOutput` is provided, it merges with this data for the sandbox payload (with `toolOutput` fields taking precedence). | |
| - **`iframeRenderData`**: (Optional) Additional data merged into the render payload forwarded to the iframe. When `mcpContextProps.toolOutput` is provided, it replaces this data for the sandbox payload. |
| capabilities, | ||
| })}\n`, | ||
| ); | ||
| if (!/<head[^>]*>/i.test(htmlContent)) { |
There was a problem hiding this comment.
Skybridge HTML without a tag never gets the runtime script injected, so those resources fail to initialize. Please add a fallback that prepends the script when neither nor is present.
Prompt for AI agents
Address the following comment on sdks/typescript/client/src/utils/processResource.ts at line 188:
<comment>Skybridge HTML without a <html> tag never gets the runtime script injected, so those resources fail to initialize. Please add a fallback that prepends the script when neither <head> nor <html> is present.</comment>
<file context>
@@ -132,13 +165,58 @@ export function processHTMLResource(
+ capabilities,
+ })}\n`,
+ );
+ if (!/<head[^>]*>/i.test(htmlContent)) {
+ htmlContent = htmlContent.replace(
+ /<html([^>]*)>/i,
</file context>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Adds skybridge integration for clients