fix: Fix CSP config for ChatGPT

[jirispilka]

No description provided.

[MQ37]

For me the widgets are loading properly on the desktop ChatGPT web ui - quite clunky but it loads eventually. On the mobile only the search Actors widget is loading, the call-actor is endlessly loading for some reason - more context in slack dms. Pre-approving 👍

[claude]

LGTM — straightforward CSP compatibility fix with shared constants and clear comments.

Extended reasoning...

Overview

This PR modifies a single file (src/resources/widgets.ts) to fix ChatGPT CSP compatibility. It extracts RESOURCE_DOMAINS and CONNECT_DOMAINS into shared constants, keeps WIDGET_CSP with standard camelCase keys, and creates a new OPENAI_WIDGET_CSP with snake_case keys that ChatGPT expects. The new CSP object is wired into createWidgetMeta() via the openai/widgetCSP key. The type definition is also updated to reflect the new compatibility keys.

Security risks

No security concerns. The change only restructures existing CSP domain lists (all first-party Apify domains plus Google Fonts) and adds a snake_case variant. No new domains are introduced, no auth or permission logic is affected.

Level of scrutiny

Low scrutiny warranted. This is a small, mechanical refactor of widget metadata configuration. The domains are unchanged, the logic is straightforward constant extraction and object creation, and the comments clearly explain the rationale. Single file, no test changes needed for what is essentially a metadata shape fix.

Other factors

The only bug found is a documentation nit — the TODO in res/TODO-mcp-apps-migration.md line 22 still references WIDGET_CSP instead of OPENAI_WIDGET_CSP. This has zero runtime impact and is flagged as an inline comment. The code changes themselves are correct and well-documented with reference links to OpenAI documentation.

[claude]

🟡 Nit: The TODO at res/TODO-mcp-apps-migration.md line 22 still says to remove snake_case CSP fields from WIDGET_CSP, but this PR moved those fields into the new OPENAI_WIDGET_CSP object. The TODO should reference OPENAI_WIDGET_CSP so future cleanup targets the right constant.

Extended reasoning...

What the bug is

The file res/TODO-mcp-apps-migration.md line 22 contains this tracking item:

Remove snake_case CSP fields (connect_domains, resource_domains) from WIDGET_CSP in src/resources/widgets.ts once MCP Jam and all hosts support camelCase (connectDomains, resourceDomains). Currently shipping both for compatibility.

After this PR, WIDGET_CSP (lines 30-33 of widgets.ts) contains only camelCase keys (connectDomains, resourceDomains). The snake_case keys (connect_domains, resource_domains) now live in the new OPENAI_WIDGET_CSP object (lines 36-39).

Why this is misleading

Someone following this TODO in the future would:

1. Open src/resources/widgets.ts
2. Look at WIDGET_CSP
3. See only camelCase keys (connectDomains, resourceDomains)
4. Conclude the cleanup is already done and close the TODO
5. Miss OPENAI_WIDGET_CSP entirely, which is the actual location of the snake_case fields that need eventual removal

The phrase "Currently shipping both for compatibility" is also no longer accurate for WIDGET_CSP — the dual-format shipping now happens via two separate objects (WIDGET_CSP for camelCase, OPENAI_WIDGET_CSP for snake_case).

Impact

This is a documentation-only issue with no runtime impact. The code itself is correct — OPENAI_WIDGET_CSP is properly wired into createWidgetMeta() at line 97 via the openai/widgetCSP key. The risk is purely that the future cleanup tracked by this TODO gets incorrectly marked as done.

Suggested fix

Update line 22 of res/TODO-mcp-apps-migration.md to something like:

Remove OPENAI_WIDGET_CSP (snake_case CSP fields: connect_domains, resource_domains) from src/resources/widgets.ts once ChatGPT supports the standard camelCase connectDomains/resourceDomains fields in WIDGET_CSP.