Deploy Policy

Vifu treats your built output as the reviewed runtime artifact.

That means the JavaScript that runs the game must be inside the deploy artifact. Vifu does not download CDN scripts, patch HTML, vendor dependencies, or create a deploy lockfile during deploy.

Short Version

Allowed:

• bundled JavaScript in your build output
• local assets in the build output
• Google Fonts
• approved pinned static CSS, fonts, images, and media from package CDNs
• ordinary external links
• AI/backend access through @vifu/sdk or window.Vifu

Blocked:

• CDN JavaScript
• remote import(...), importScripts(...), or Worker scripts
• remote .js, .mjs, or .wasm URLs
• direct external AI/backend API calls from game JavaScript
• local-only providers such as LM Studio or Ollama in deployed builds

Why Remote JavaScript Is Blocked

Vifu-hosted games run in a managed iframe and can access platform services such as AI, save state, resources, and companion actions. If the game could execute arbitrary remote JavaScript, the reviewed artifact would no longer be the code that actually runs.

Static resources are different. CSS, fonts, images, and media do not define game logic, so Vifu allows approved resource categories through category-specific CSP.

Good

<link
  rel="stylesheet"
  href="https://cdn.jsdelivr.net/npm/[email protected]/dist/theme.css"
>

const result = await Vifu.ai.generateText({
  model: "basic",
  messages: [{ role: "user", content: "Give a short hint." }]
});

Blocked

<script src="https://cdn.jsdelivr.net/npm/[email protected]/dist/phaser.min.js"></script>

await import("https://cdn.jsdelivr.net/npm/@mediapipe/[email protected]/+esm");
fetch("https://api.openai.com/v1/chat/completions");
fetch("http://localhost:1234/v1/chat/completions");

Common Bundler Issue

This can fail even if the deployed game does not use the provider at runtime:

import { MediaPipeService } from "./services/mediapipe.service";
import { VifuModelService } from "./services/vifu-model.service";

Static imports can make Vite, Angular, or Webpack include optional local model providers in the final browser bundle. If that provider imports remote JavaScript, vifu deploy will block the artifact.

Fix it by keeping local-only providers out of the deployed build or loading them only in a separate local development profile.

What The CLI Reports

When validation fails, vifu deploy reports:

• built file and line
• rule name
• URL
• why it is blocked
• how to fix it

Example:

Vifu deploy blocked this runtime artifact.

1. Remote JavaScript import
   Built file: chunk.js:2
   Rule: remote code import
   URL: https://cdn.jsdelivr.net/npm/@mediapipe/[email protected]/+esm
   Why blocked: Remote JavaScript/WASM would execute outside the reviewed deploy artifact.
   Fix: Bundle the dependency locally, remove the unused provider/import, or lazy-load it only in a non-deployed build profile.

Runtime CSP

Runtime CSP follows the same policy:

• script-src does not include CDN JavaScript hosts.
• connect-src is limited to Vifu platform APIs.
• style-src, font-src, img-src, and media-src may allow approved static resource hosts by category.
• Worker and eval behavior are internal runtime rules, not public manifest switches.