Skip to content

Deploy Policy

The VifuHub CLI treats your built output as the reviewed runtime artifact.

That means the JavaScript that runs the game must be inside the deploy artifact. The VifuHub CLI does not download CDN scripts, patch HTML, vendor dependencies, or create a deploy lockfile during deploy.

Short Version

Allowed:

  • bundled JavaScript in your build output
  • local assets in the build output
  • Google Fonts
  • approved pinned static CSS, fonts, images, and media from package CDNs
  • ordinary external links
  • AI/backend access through the @vifu/hub module namespace

Blocked:

  • CDN JavaScript
  • remote import(...), importScripts(...), or Worker scripts
  • remote .js, .mjs, or .wasm URLs
  • direct external AI/backend API calls from game JavaScript
  • local-only providers such as LM Studio or Ollama in deployed builds

Why Remote JavaScript Is Blocked

Games in the Agent Runtime run in a managed iframe and can access host capabilities such as AI, save state, resources, and companion actions. If the game could execute arbitrary remote JavaScript, the reviewed artifact would no longer be the code that actually runs.

Static resources are different. CSS, fonts, images, and media do not define game logic, so the Agent Runtime allows approved resource categories through category-specific CSP.

Good

html
<link
  rel="stylesheet"
  href="https://cdn.jsdelivr.net/npm/[email protected]/dist/theme.css"
>
ts
const result = await hub.ai.generateText({
  model: "basic",
  messages: [{ role: "user", content: "Give a short hint." }]
});

Blocked

html
<script src="https://cdn.jsdelivr.net/npm/[email protected]/dist/phaser.min.js"></script>
ts
await import("https://cdn.jsdelivr.net/npm/@mediapipe/[email protected]/+esm");
fetch("https://api.openai.com/v1/chat/completions");
fetch("http://localhost:1234/v1/chat/completions");

Common Bundler Issue

This can fail even if the deployed game does not use the provider at runtime:

ts
import { MediaPipeService } from "./services/mediapipe.service";
import { VifuModelService } from "./services/vifu-model.service";

Static imports can make Vite, Angular, or Webpack include optional local model providers in the final browser bundle. If that provider imports remote JavaScript, vf deploy will block the artifact.

Fix it by keeping local-only providers out of the deployed build or loading them only in a separate local development profile.

What The CLI Reports

When validation fails, vf deploy reports:

  • built file and line
  • rule name
  • URL
  • why it is blocked
  • how to fix it

Example:

text
vf deploy blocked this runtime artifact.

1. Remote JavaScript import
   Built file: chunk.js:2
   Rule: remote code import
   URL: https://cdn.jsdelivr.net/npm/@mediapipe/[email protected]/+esm
   Why blocked: Remote JavaScript/WASM would execute outside the reviewed deploy artifact.
   Fix: Bundle the dependency locally, remove the unused provider/import, or lazy-load it only in a non-deployed build profile.

Runtime CSP

Runtime CSP follows the same policy:

  • script-src does not include CDN JavaScript hosts.
  • connect-src is limited to Agent Runtime and API origins.
  • style-src, font-src, img-src, and media-src may allow approved static resource hosts by category.
  • Worker and eval behavior are internal runtime rules, not public manifest switches.

Agent Runtime pages use runtime.vifu.ai in production and runtime-dev.vifu.ai in development. The trusted web shell stays on vifu.ai, and backend APIs stay on api.consenger.com / api-dev.consenger.com.

This separation means CSP 'self' for runtime code refers to the runtime gateway, not the web shell or the API. It also keeps runtime storage separate from web-shell storage. Uploaded games still run in a sandboxed iframe and must use the VifuHub SDK/host bridge for host capabilities.