fix: inline vendor JS libraries for MCP Apps CSP compatibility

CDN script tags are blocked by Content Security Policy in MCP Apps
iframes, causing "Vue is not defined" errors. Bundle the 4 JS
libraries (Vue, Cytoscape, dagre, cytoscape-dagre) as embedded
vendor files and inject them inline at serve time.

Author: felixgeelhaar

.gitignore

@@ -14,6 +14,7 @@
 
 # Dependency directories
 vendor/
+!mcp/ui/vendor/
 
 # IDE
 .idea/

mcp/resources.go

@@ -3,13 +3,34 @@ package mcp
 import (
 	"context"
 	_ "embed"
+	"strings"
 
 	"github.com/felixgeelhaar/mcp-go/server"
 )
 
 //go:embed ui/visualizer.html
 var visualizerHTML string
 
+//go:embed ui/vendor/vue.global.prod.js
+var vendorVue string
+
+//go:embed ui/vendor/cytoscape.min.js
+var vendorCytoscape string
+
+//go:embed ui/vendor/dagre.min.js
+var vendorDagre string
+
+//go:embed ui/vendor/cytoscape-dagre.min.js
+var vendorCytoscapeDagre string
+
+func assembledVisualizerHTML() string {
+	scripts := "<script>" + vendorVue + "</script>\n" +
+		"    <script>" + vendorCytoscape + "</script>\n" +
+		"    <script>" + vendorDagre + "</script>\n" +
+		"    <script>" + vendorCytoscapeDagre + "</script>"
+	return strings.Replace(visualizerHTML, "<!-- VENDOR_SCRIPTS -->", scripts, 1)
+}
+
 func registerResources(srv *server.Server) {
 	srv.Resource("ui://statekit/visualizer").
 		Name("Statekit Visualizer").
@@ -19,7 +40,7 @@ func registerResources(srv *server.Server) {
 			return &server.ResourceContent{
 				URI:      "ui://statekit/visualizer",
 				MimeType: "text/html",
-				Text:     visualizerHTML,
+				Text:     assembledVisualizerHTML(),
 			}, nil
 		})
 }