Sandboxed and connected.
Either half alone is a feature. The combination is a product.
Safe
If it breaks, your site is fine.
Sandboxed iframe with a CSP allowlist and a permission manifest. Browser-enforced isolation, not policy-enforced. Apps can’t take down your site or exfiltrate data.
Connected
Reads your posts, pages, and users.
Apps aren’t islands. A typed bridge gives them permissioned access to your WordPress data and the current user — with explicit consent at install time.
Native
Lives where WordPress lives.
Embed as a Gutenberg block inside any post, render at /apps/{slug}, or appear in wp-admin. Same login, same domain, same hosting. No CORS dance.
Two ways to build.
One place to run.
In your browser
Vibe-code in wp-admin.
Describe the tool. The AI builds it. Or drop a saved Claude artifact HTML file and it’s live in seconds — reading your real data.
From your AI client
Build from Claude or Cursor.
Connect your site via the WordPress MCP Adapter. Build and install apps without ever opening wp-admin. npx designsetgo apps init for the CLI path.
Get the full pitch · product brief · demos
The full story is at designsetgo.dev .
Full product brief, demos, the bridge API spec, and signup for early access.