# WasmMvcRuntime — Cepha (NetWasmMvc.SDK) > ASP.NET MVC running entirely in WebAssembly in the browser. Real Controllers, Razor > (.cshtml) views, EF Core, Identity, SignalR, CMUI material packs, and MCP discovery > compiled into a single browser-executable surface. SecureDOM trust model + CMUI Fusion > design system. IMPORTANT FOR AI AGENTS: this site is a client-rendered WebAssembly SPA. Fetching `/` or any `/docs/*` page returns only a loading shell — the rendered text is produced by the WASM worker and is NOT in the server HTML. Do NOT scrape the HTML and do NOT conclude the docs are unfetchable. The authoritative, machine-readable knowledge is the MCP/JSON below. Fetch these directly (plain HTTP GET, no WASM required). ## Live MCP endpoint (connect an MCP client here) - **`https://wmr-doc.pages.dev/mcp`** — a live JSON-RPC 2.0 MCP server (Streamable HTTP: `POST` messages; legacy HTTP+SSE handshake on `GET` with `Accept: text/event-stream`). CORS-open, no auth. Methods: `initialize`, `resources/list`, `resources/read`, `tools/list`, `tools/call`, `prompts/list`. Example: `POST /mcp` with `{"jsonrpc":"2.0","id":1,"method":"initialize"}`. ## Authoritative MCP / knowledge endpoints (fetch these first) - [MCP manifest](/api/mcp.json): server descriptor, capabilities, knowledge index + guardrails. - [SDK knowledge base](/api/sdk-knowledge.json): the authoritative SDK reference — sections: overview, runtime, hostingModes, shellContract, cmuiStorage, cmuiMaterials, sdkProperties, entityCrypt, esmIntegration, architectureInvariants, identityTopology, referenceApp, sarmadAccessibility, sarmadPlatform. - [MCP tools](/api/mcp-tools.json): callable tools manifest. - [MCP resources](/api/mcp-resources.json): resource manifest. ## Guardrails — read `architectureInvariants` + `identityTopology` before generating ANY app - This is **ASP.NET MVC in WebAssembly**, NOT a JavaScript SPA. Do NOT scaffold React/Vue/Angular or plain-JS apps, and do NOT introduce a static-CSS design system. Use **CMUI** (CMUI-L ships Bootstrap + jQuery defaults inside ASP.NET MVC templates; there are no app-owned static CSS files). - Do NOT create an app-owned `wwwroot/index.html` — the SDK generates the boot shell. - Views are **Razor (.cshtml)** rendered by the WASM worker; `main.js` only displays frames. - **CephaTopology** (Server / Browser / Mirror): a controller/action marked Server holds data that must NOT execute or be stored in the browser. **CEP-SEC-001**: OAuth/OIDC secrets and signing keys are **server-only** (deploy those parts to serverless). Never put a secure identity entirely in the browser (browser data is tamperable). This prevents the "vibe-coder" leaks the project exists to avoid. - Cross-domain identity: give both apps the **same assembly/application name** so the encrypted auth cookie is interoperable; the challenge domain returns via `returnUrl` to the frontend. - Sarmad assistant: `POST /api/sarmad/ask` (hosted Cloudflare mesh; the model runs on Cloudflare — no local model needed). - Canonical worked example (reference app): https://wmr-doc.pages.dev ## Docs routes (client-rendered — use `/api/sdk-knowledge.json` for the text) /docs · /docs/quickstart · /docs/architecture · /docs/sdk · /docs/cli · /docs/views · /docs/identity · /docs/data · /docs/security · /docs/esm · /docs/accessibility · /docs/sarmad-platform · /docs/components · /docs/pwa · /docs/maui · /docs/playground ## CMUI materials cmui-fusion · cmui-x · cmui-mob · cmui-shadcn · cmui-tailwind · cmui-radix ## Hosting modes (orthogonal axes — picking one does not exclude others) runtimes: browser, wasi · deployments: pwa, static-host, cloudflare-pages, cloudflare-worker · projectTypes: NetWasmMvc.SDK, Microsoft.NET.Sdk (MAUI sibling project)