modified create-mcp-app skill to support chatGPT

[mandpd]

Motivation and Context

The existing create-mcp-app SKILL.md only covers building MCP Apps for Claude. ChatGPT enforces additional metadata requirements (tool annotations, structuredContent responses,
widget CSP, widget domain) that are not documented in the skill. Developers building cross-host MCP Apps have to discover these requirements through trial and error against the ChatGPT
template configuration UI.

This change adds a comprehensive "ChatGPT Compliance" section so the skill can guide developers through both hosts' requirements in a single reference.

How Has This Been Tested?

• Built and deployed a weather forecast MCP App against both Claude and ChatGPT using the guidance in this skill
• Verified that adding annotations, structuredContent, _meta.ui.csp, and _meta.ui.domain resolves ChatGPT's template configuration errors ("Widget CSP is not set", "Widget
  domain is not set")
• Confirmed that the dual-path structuredContent / content text parsing pattern works in both Claude (which delivers content) and ChatGPT (which delivers structuredContent)
• Verified that all additions (annotations, CSP, domain) are safely ignored by Claude

Breaking Changes

None. All additions are purely documentation. Existing MCP Apps built with the original skill continue to work in Claude without modification.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation update

Checklist

• I have read the MCP Documentation
• My code follows the repository's style guidelines
• New and existing tests pass locally
• I have added appropriate error handling
• I have added or updated documentation as needed

Additional context

Key additions to the skill:

• Tool annotations -- readOnlyHint, destructiveHint, openWorldHint with guidance on choosing values for different tool types
• structuredContent response pattern -- three-field response shape (structuredContent, content, _meta) with a cross-host parsing pattern that checks structuredContent
  first and falls back to content text
• Widget CSP and domain -- complete registerAppResource examples comparing Claude-only vs ChatGPT-compatible registration
• Transport requirements -- documents ChatGPT's HTTPS-only constraint with generic tunnelling service guidance
• File parameter inputs -- ChatGPT's openai/fileParams extension for user-uploaded files
• Compliance checklist -- 8-item pre-submission checklist
• 4 new common mistakes (items 9-12) covering ChatGPT-specific pitfalls
• Testing with ChatGPT subsection with tunnelling workflow

Reference: https://developers.openai.com/apps-sdk/build/mcp-server/

[Copilot]

Pull request overview

Updates the create-mcp-app skill documentation to cover MCP App requirements for ChatGPT in addition to Claude, so developers can build cross-host compatible MCP Apps without trial-and-error in ChatGPT’s template UI.

Changes:

• Expands the skill intro to explicitly target both Claude and ChatGPT.
• Adds a comprehensive “ChatGPT Compliance” section (tool annotations, structuredContent, widget CSP/domain, transport notes, file params, checklist).
• Extends “Common Mistakes” and “Testing” sections with ChatGPT-specific guidance.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

In the parseResult example, JSON.parse(text.text) can throw (especially given the earlier example content text is not JSON). Wrap the parse in a try/catch (or validate the string before parsing) so a non-JSON text block doesn’t crash the widget, and keep the parsed field name consistent with the structuredContent shape you recommend.

Suggested change

	if (structured?.data) {
	return { data: structured.data };
	}
	// Claude path: data embedded as JSON in content text
	const text = result.content?.find((c) => c.type === "text");
	if (text && "text" in text) {
	const parsed = JSON.parse(text.text);
	if (parsed.data) return { data: parsed.data };
	if (structured?.results) {
	return { results: structured.results };
	}
	// Claude path: data embedded as JSON in content text
	const text = result.content?.find((c) => c.type === "text");
	if (text && "text" in text) {
	try {
	const parsed = JSON.parse(text.text as string) as Record<string, unknown>;
	if (parsed && typeof parsed === "object" && "results" in parsed) {
	return { results: (parsed as { results: unknown }).results };
	}
	} catch {
	// Ignore JSON parse errors and fall through to the error return below.
	}

[Copilot]

The structuredContent example and the cross-host parsing guidance are inconsistent: the example returns structuredContent: { results: data } and a human sentence in content[0].text, but the later widget parser expects JSON in content[0].text and reads a data field. Align the field names and update the example content block(s) to match the documented fallback parsing approach (or adjust the parser guidance to match the example).

[jonathanhefner]

In general, I lean more toward including some of this information in our docs (where necessary), and pointing the skill to those (a la #416).

I also strongly prefer to avoid vendor-specific guidance as much as possible. (And I wonder if some of these issues are transient, i.e., oversights that OpenAI will fix.)

If there are enough persistent issues, then it may be worth creating a dedicated "Troubleshooting" guide, where we can call out vendor-specific problems that occur during the testing phase.

[jonathanhefner]

Just to confirm, ChatGPT requires these explicit annotations for all MCP tools (regardless of true/false)?

If that is the case, it might be more effective to simply add them to all of our examples. That way the agent should pick up on the pattern without having to call it out in the skill.

Another possibility (not necessarily better) would be to enforce their presence in the type signature of registerAppTool.

[jonathanhefner]

I would prefer to find a unified approach that works on all platforms (and update all of our examples to use that).

Is the difference that ChatGPT always shows structuredContent to the model, whereas Claude does not? (I know that was the case for OpenAI Apps SDK, but I didn't realize they were doing the same for MCP Apps.)

[jonathanhefner]

This sounds like a bug. The spec explicitly allows "empty or omitted":

ext-apps/specification/2026-01-26/apps.mdx

Lines 114 to 145 in 0bbbfee

	interface McpUiResourceCsp {
	/**
	* Origins for network requests (fetch/XHR/WebSocket)
	*
	* - Empty or omitted = no external connections (secure default)
	* - Maps to CSP `connect-src` directive
	*
	* @example
	* ["https://api.weather.com", "wss://realtime.service.com"]
	*/
	connectDomains?: string[],
	/**
	* Origins for static resources (images, scripts, stylesheets, fonts, media)
	*
	* - Empty or omitted = no external resources (secure default)
	* - Wildcard subdomains supported: `https://*.example.com`
	* - Maps to CSP `img-src`, `script-src`, `style-src`, `font-src`, `media-src` directives
	*
	* @example
	* ["https://cdn.jsdelivr.net", "https://*.cloudflare.com"]
	*/
	resourceDomains?: string[],
	/**
	* Origins for nested iframes
	*
	* - Empty or omitted = no nested iframes allowed (`frame-src 'none'`)
	* - Maps to CSP `frame-src` directive
	*
	* @example
	* ["https://www.youtube.com", "https://player.vimeo.com"]
	*/
	frameDomains?: string[],

[jonathanhefner]

Is domain: "https://my-weather-app.example.com" correct? I was under the impression that it would be something like domain: "my-weather-app-example-com" for ChatGPT, per:

ext-apps/specification/2026-01-26/apps.mdx

Lines 199 to 218 in 0bbbfee

	/**
	* Dedicated origin for view
	*
	* Optional domain for the view's sandbox origin. Useful when views need
	* stable, dedicated origins for OAuth callbacks, CORS policies, or API key allowlists.
	*
	* **Host-dependent:** The format and validation rules for this field are
	* determined by each host. Servers MUST consult host-specific documentation
	* for the expected domain format. Common patterns include:
	* - Hash-based subdomains (e.g., `{hash}.claudemcpcontent.com`)
	* - URL-derived subdomains (e.g., `www-example-com.oaiusercontent.com`)
	*
	* If omitted, Host uses default sandbox origin (typically per-conversation).
	*
	* @example
	* "a904794854a047f6.claudemcpcontent.com"
	* @example
	* "www-example-com.oaiusercontent.com"
	*/
	domain?: string,

In either case, I think we could add this to our example in the patterns guide, and that way we can omit it from the skill itself.

[jonathanhefner]

Unless I'm misunderstanding, I think this is not true (per the referenced example).

[jonathanhefner]

I do not think we should include this in any of our documentation.

If there is a single URL (or small number of URLs) that serve documentation for these extensions, we could possibly point to those, but only if the documentation presents the extensions as progressive enhancements (i.e., provides explicit guidance to not rely on those extensions).

[jonathanhefner]

I do not think we should position this as a "ChatGPT Compliance" checklist. To whatever extent a checklist is necessary (which it may not be, given other changes), it should be presented as a generic checklist.

The checklist is also duplicative with the "Common Mistakes to Avoid" section below. We should go with one or the other.