Deploy Policy
The VifuHub CLI treats your built output as the reviewed runtime artifact.
That means the JavaScript that runs the game must be inside the deploy artifact. The VifuHub CLI does not download CDN scripts, patch HTML, vendor dependencies, or create a deploy lockfile during deploy.
Short Version
Allowed:
- bundled JavaScript in your build output
- local assets in the build output
- Google Fonts
- approved pinned static CSS, fonts, images, and media from package CDNs
- ordinary external links
- AI/backend access through the
@vifu/hubmodule namespace
Blocked:
- CDN JavaScript
- remote
import(...),importScripts(...), or Worker scripts - remote
.js,.mjs, or.wasmURLs - direct external AI/backend API calls from game JavaScript
- local-only providers such as LM Studio or Ollama in deployed builds
Why Remote JavaScript Is Blocked
Games in the Agent Runtime run in a managed iframe and can access host capabilities such as AI, save state, resources, and companion actions. If the game could execute arbitrary remote JavaScript, the reviewed artifact would no longer be the code that actually runs.
Static resources are different. CSS, fonts, images, and media do not define game logic, so the Agent Runtime allows approved resource categories through category-specific CSP.
Good
<link
rel="stylesheet"
href="https://cdn.jsdelivr.net/npm/[email protected]/dist/theme.css"
>const result = await hub.ai.generateText({
model: "basic",
messages: [{ role: "user", content: "Give a short hint." }]
});Blocked
<script src="https://cdn.jsdelivr.net/npm/[email protected]/dist/phaser.min.js"></script>await import("https://cdn.jsdelivr.net/npm/@mediapipe/[email protected]/+esm");
fetch("https://api.openai.com/v1/chat/completions");
fetch("http://localhost:1234/v1/chat/completions");Common Bundler Issue
This can fail even if the deployed game does not use the provider at runtime:
import { MediaPipeService } from "./services/mediapipe.service";
import { VifuModelService } from "./services/vifu-model.service";Static imports can make Vite, Angular, or Webpack include optional local model providers in the final browser bundle. If that provider imports remote JavaScript, vf deploy will block the artifact.
Fix it by keeping local-only providers out of the deployed build or loading them only in a separate local development profile.
What The CLI Reports
When validation fails, vf deploy reports:
- built file and line
- rule name
- URL
- why it is blocked
- how to fix it
Example:
vf deploy blocked this runtime artifact.
1. Remote JavaScript import
Built file: chunk.js:2
Rule: remote code import
URL: https://cdn.jsdelivr.net/npm/@mediapipe/[email protected]/+esm
Why blocked: Remote JavaScript/WASM would execute outside the reviewed deploy artifact.
Fix: Bundle the dependency locally, remove the unused provider/import, or lazy-load it only in a non-deployed build profile.Runtime CSP
Runtime CSP follows the same policy:
script-srcdoes not include CDN JavaScript hosts.connect-srcis limited to Agent Runtime and API origins.style-src,font-src,img-src, andmedia-srcmay allow approved static resource hosts by category.- Worker and eval behavior are internal runtime rules, not public manifest switches.
Agent Runtime pages use runtime.vifu.ai in production and runtime-dev.vifu.ai in development. The trusted web shell stays on vifu.ai, and backend APIs stay on api.consenger.com / api-dev.consenger.com.
This separation means CSP 'self' for runtime code refers to the runtime gateway, not the web shell or the API. It also keeps runtime storage separate from web-shell storage. Uploaded games still run in a sandboxed iframe and must use the VifuHub SDK/host bridge for host capabilities.
