DesignSetGo apps
Product

Overview

How it works Live demo Quickstart Examples Use cases

Build with AI

Connect your AI New Riff (AI builder) Astro + WooCommerce Security

Who it's for

Site owners Developers Agencies
Docs

Get started

Getting started Quickstart Astro on WordPress

Reference

Bridge API Manifest CLI reference
Pricing Blog Install free
FOR DEVELOPERS If you vibe-code from an editor (Claude Code / Cursor / Codex) and ship from a terminal. See the homepage for the broader paste-from-Claude flow.

WordPress as a deploy target for Claude Code, Cursor, and Codex.

Typed bridge to real WP data. App-Password auth that takes ten seconds. Atomic deploy with one CLI command. Choose iframe mode for untrusted bundles, or inline mode when you want native SEO and site-owned routes.

CLI reference Bridge client on GitHub

How to think about it

WordPress as a runtime, like Chrome runs extensions or Figma runs plugins.

DesignSetGo Apps is one WordPress plugin. The apps you ship through it are not plugins. They are sandboxed static bundles (HTML, JS, CSS, WASM) plus a dsgo-app.json manifest. The runtime loads them, sandboxes them, and feeds them WordPress data through a typed bridge. The app never sees a REST token.

The runtime

WordPress, plus this plugin.

Boots the app, enforces the CSP, owns auth, runs the bridge. The same role Chrome plays for extensions.

The app

A static bundle with a manifest.

Whatever your build emits, plus dsgo-app.json declaring permissions. No PHP, no shared process. Lives at /apps/{slug}.

The bridge

A typed postMessage API.

The app asks for posts, pages, the current user, storage, abilities. The runtime enforces what each app is allowed to see.

The shift in one line: anything you used to ship as a WordPress plugin with full trust (a calculator, a portal, a dashboard, an AI tool) becomes a sandboxed bundle with declared permissions instead. The category survives. The security model flips.

The loop

From init to live in three commands.

The CLI scaffolds a minimal starter by default, or an Astro starter with --astro for multi-page apps. Any static bundle works. It authenticates with a WordPress Application Password and pushes the bundle; each subsequent deploy is an atomic update at the same app id.

1 Scaffold

Start a new app.

A single index.html, a dsgo-app.json wired up, and an AGENTS.md (plus a CLAUDE.md import) documenting the bridge surface. No build step required, deploys as-is. Add --astro for the multi-page starter (booking flows, member portals, intake wizards).

designsetgo apps init my-app
2 Authenticate

Log in once.

Uses WordPress Application Passwords, built into core, scoped, revocable. Credentials are stored at ~/.config/designsetgo/credentials.json with 0600 permissions.

designsetgo apps login
3 Deploy

Ship it.

Bundles the directory, shows you the capability diff, and atomically replaces the bundle on the site. Re-run as often as you like, same app id, no downtime. For the Astro starter, pass --build so the CLI runs npm run build first.

designsetgo apps deploy

The bridge client

No REST plumbing. No auth boilerplate.

The @designsetgo/app-client package gives you typed access to your WordPress site. Same surface in inline mode (same window) and iframe mode (cross-frame); the transport is auto-selected.

src/app.ts · @designsetgo/app-client TS 
// Read posts, pages, the current user, and per-app storage.
// The bridge handles auth + REST behind the scenes.

import { dsgo } from "@designsetgo/app-client";
await dsgo.ready;

// Site context
const site = await dsgo.site.info();

// Real posts, filtered by what the current user can see
const { posts } = await dsgo.posts.list({
    type: "recipe",
    orderby: "date",
    order: "desc",
    per_page: 10,
});

// Logged-in user, and what they're allowed to do
const me = await dsgo.user.current();
if (await dsgo.user.can("edit_posts")) {
    // show the editor-only UI
}

// Per-app, per-user persistent storage; survives reloads
await dsgo.storage.user.set("favourites", [42, 88]);

What your AI agent sees

An AGENTS.md and a CLAUDE.md in every starter.

The starter ships a full extension manual at the project root. AGENTS.md is the vendor-neutral canonical file; Codex, Cursor, Aider, and any tool that follows the agents.md convention read it directly. CLAUDE.md is a one-line @-import of AGENTS.md so Claude Code picks up the same content without duplication or drift.

Claude Code

Reads CLAUDE.md automatically, which @-imports AGENTS.md. designsetgo apps init + open in Claude Code is the path of least resistance.

Codex CLI

Reads AGENTS.md as project context; that's the convention Codex's project memory uses. Already in place, nothing to rename.

Cursor / Aider

Both follow the AGENTS.md convention out of the box; the same file feeds them too.

Other agents

Pass AGENTS.md as additional context. The bridge spec is vendor-neutral; there's no Anthropic-specific coupling in the runtime.

Agent skills pack

Teach the agent the bridge before the project exists.

AGENTS.md answers the agent once it is inside a DSGo project. The DSGo skills pack answers it on the way in: installed at the user level, so the agent already knows the manifest schema, every dsgo.* method, and the CLI loop before apps init runs.

installs across every supported agent SH 
npx skills add DesignSetGo/skills
  • building-dsgo-apps Scaffolding, the inline-vs-iframe choice, project layout.
  • dsgo-manifest Every field of dsgo-app.json: routes, permissions, secrets, scheduled jobs, webhooks.
  • dsgo-bridge-api Every dsgo.* method, its permission gate, its error code shape.
  • deploying-dsgo-apps The @designsetgo/cli loop, preview deploys, CI with env-var auth.
  • dsgo-abilities Publishing abilities back to the site, consuming abilities, dsgo.ai.prompt tool calling.

Isolation modes

Inline for crawlable pages. Iframe for drop-in artifacts.

Same bundle format, same bridge, different rendering. Apps declare which they want in the manifest. See How it works for the deeper trade-off.

Inline (default)

Real WordPress page, native SEO.

Renders at /apps/{slug}/{route} with multi-page routes via routes, per-request CSP nonces, install-time sanitization, optional theme header/footer wrap, and automatic sitemap inclusion. Pick this for content-heavy apps.

Iframe

Opaque-origin sandbox.

App renders inside an <iframe sandbox> without allow-same-origin, giving it an opaque origin. Single-page, not crawlable, ideal for drop-in Claude artifacts and bundles you want the strongest isolation guarantee on.

License + price

CLI deploy is a Pro feature.

The bridge client (@designsetgo/app-client) and CLI (@designsetgo/cli) are MIT-licensed on GitHub. The plugin runtime is one zip; the CLI deploy flow gates on Pro ($149.99/yr, 3 sites) or Studio ($499/yr, unlimited sites). Free hosts uploaded bundles but not CLI pushes. See pricing

Three commands

Open Claude Code. Ship a real WP app.

The starter ships with the typed bridge wired up and an AGENTS.md documenting every method. designsetgo apps init --astro adds Astro for multi-page apps.

zsh · ~/my-app 
$ npm i -g @designsetgo/cli
$ designsetgo apps init my-mortgage --astro
  ✓ scaffolded · 12 files · 5 kB
$ designsetgo apps login --site example.com
  ✓ stored credentials
$ designsetgo apps deploy --site example.com
  ✓ live at example.com/apps/my-mortgage
  └ permissions: read_content, send_messages