Mini-Programs Overview
Mini-programs are sandboxed web apps that run directly inside the AI Supreme Council platform. They extend the platform with custom functionality -- from device sync tools to visual page builders -- all while running in a secure, permission-controlled environment.
What Are Mini-Programs?
A mini-program is a standard HTML/CSS/JS web app that runs inside a sandboxed iframe within the platform. Instead of navigating to a separate website, users launch mini-programs from the Apps section in the sidebar. The app replaces the chat area and has access to platform APIs through the window.ais SDK.
Mini-programs can:
- Read and send chat messages to interact with AI models
- Store data locally with per-app isolated storage
- Access bot configuration to know which model is active
- Show notifications and dialogs through the platform UI
- Read user info for personalization
- Register hooks to extend platform behavior
How They Work
+---------------------------+
| AI Supreme Council |
| (host page) |
| |
| +---------------------+ |
| | Sandboxed iframe | |
| | (null origin) | |
| | | |
| | window.ais SDK | |
| | | | |
| +---|------------------+ |
| | postMessage |
| v |
| Message Bridge |
| (permission check) |
| (method dispatch) |
+---------------------------+
-
SDK injection -- When a mini-program launches, the platform creates a sandboxed iframe and injects the
window.aisSDK (~2 KB) as a<script>preamble before your app code. -
postMessage bridge -- Every SDK call (
ais.storage.get(),ais.chat.send(), etc.) sends apostMessageto the host page. The host validates the calling app's permissions and dispatches the request to the appropriate platform module. -
Responses -- Results are sent back to the iframe via
postMessage, where the SDK resolves the corresponding Promise.
Security Model
Mini-programs run in a strict security sandbox:
| Protection | How |
|---|---|
| Null origin | sandbox="allow-scripts allow-forms" -- no allow-same-origin, so the iframe gets a null origin |
| No parent DOM access | Cannot read or modify the host page's DOM, localStorage, or cookies |
| No network access to host origin | Cannot make same-origin requests to aiscouncil.com |
| Permission-gated APIs | Every SDK method beyond storage requires an explicit permission grant from the user |
| Per-app storage isolation | Storage keys are prefixed with mp:{app-name}: -- apps cannot read each other's data |
| Content-addressed caching | Entry HTML is fetched and cached at install time, not loaded from the network on each launch |
Mini-programs can still make network requests to external origins (their own CDN, third-party APIs, etc.) since allow-scripts permits fetch() and XMLHttpRequest. The network:fetch permission is for future proxied requests through the platform, not for restricting outbound network access.
Permission Dialog
When a user installs a mini-program, a permission dialog shows the app name, description, and the list of permissions it requests. The user must approve before installation proceeds. Apps that request only storage (always allowed) still show the dialog for transparency.
Comparison to Other Platforms
| Feature | aiscouncil Mini-Programs | WeChat Mini Programs | Chrome Extensions | PWAs |
|---|---|---|---|---|
| Runtime | Sandboxed iframe | Custom WebView | Isolated world + service worker | Full browser tab |
| Max size | 5 MB (HTML) / 50 MB (bundle) | 2-20 MB | No hard limit | No limit |
| Review required | No (Direct Install) | Yes (mandatory) | Yes (Chrome Web Store) | No |
| Offline support | Yes (cached at install) | Yes | Yes | Yes (Service Worker) |
| Platform APIs | window.ais SDK | wx API | chrome API | Web APIs only |
| Security model | Null-origin iframe | Custom sandbox | Content Security Policy | Same-origin |
| Distribution | URL, file upload, registry | WeChat Store only | Chrome Web Store | URL only |
Finding and Installing Apps
From the App Store
- Click the Apps icon in the left sidebar (or the app grid icon in the header on mobile)
- Browse the App Store section at the bottom of the apps panel
- Click Install on any app card
- Review the permissions in the dialog and click Allow
By URL (Sideloading)
- In the Apps panel, find the Sideload section
- Paste a manifest URL into the text field
- Click Install
- Review permissions and approve
By File Upload
- In the Apps panel, click Upload App
- Select a
.htmlfile (single-file app) or.aisbundle (ZIP archive) - Review permissions and approve
See Sideloading Apps for full details on all installation methods.
Launching and Closing Apps
Launch: Click the Open button on any installed app card. The app replaces the chat area and takes over the main content panel.
Close: Apps can close themselves by calling ais.close(), or the user can click the X button in the apps title bar to return to the chat view.
When an app is closed:
- The iframe is destroyed and its message handler is removed
- The chat area is restored
- Any unsaved state in the app is lost (apps should use
ais.storageto persist data)
Built-in Apps
The platform ships with two built-in mini-programs:
Device Sync
Sync profiles, API keys, and settings between devices. Supports three transfer methods:
- LAN sync -- Direct connection between devices on the same network
- QR code -- Scan a code to pair devices
- Internet relay -- WebRTC signaling through the API for devices on different networks
Permissions: storage, config:read, auth:read, ui:toast, secrets:sync
App Builder
Build web pages visually with AI content generation. Pick a template, edit sections using the active AI model, and export as a URL or HTML file. Publish directly to bcz.co with a custom slug.
Permissions: storage, chat:read, chat:write, ui:toast, auth:read, pages:publish
Next Steps
- SDK Reference -- Complete API documentation for
window.ais - Tutorial: Build Your First App -- Step-by-step guide to creating a mini-program
- Manifest Reference -- Schema documentation for
manifest.json - Sideloading Apps -- Install apps from URLs, files, and bundles
- Publishing to Registry -- Distribute your app to the community