Most web apps are simple. A form. A dashboard. A calculator. A report. But shipping one still means a framework, a build step, a database, a hosting provider, DNS, and CI/CD. For what? A thing that could be a single HTML file.
You want to ship a calculator. You need: React (or Vue, or Svelte). A bundler. A package.json with 847 dependencies. A database you'll use for one table. Vercel or Netlify to host it. A domain. DNS propagation. SSL. A CI pipeline. A GitHub repo. A deployment preview.
For a calculator.
The dirty secret is that most web application use cases are genuinely lightweight. A dashboard pulling from a CSV. An inspection form that works offline. A report with some charts. These don't need a backend. They don't need a database. They don't need an ops team. They need an HTML file and somewhere to put it.
A wrap is a valid HTML file with a JSON manifest that makes it self-describing. That's the whole trick. The manifest declares what the file contains, what it needs, what it can do, and what security guarantees it provides. Any browser opens it. Any AI can generate it. Any tool can inspect it.
The manifest isn't decoration. It's the contract. permissions declares capabilities, all denied by default. connectivity tells you if it needs a network. tools exposes operations that AI agents can discover and call. security.tier determines the trust model. A viewer that understands the manifest can enforce permissions, verify signatures, and mediate every capability the wrap touches.
wrap.store: async key-value + collections. localStorage locally, real-time sync on platform.wrap.runtime bridge for host capabilities. Stubs gracefully when no host is present.Every wrap has a security tier. The spec defines four. Two are implemented now, two are reserved for future versions. Viewers that encounter an unknown tier refuse to render. Security fails closed, never open.
The capability model is deny-by-default. A wrap that declares permissions.network: "none" and includes the matching CSP gets genuine browser-level enforcement. No outbound requests, period. Permissions declared in the manifest are advisory without a viewer; the CSP is the enforcement layer. In the openwrap viewer, the wrap runs in a sandboxed iframe with viewer-injected CSP, so a malicious wrap can't even weaken its own policy.
Access control is derived from who has the link. Private wraps are visible only to people you invite. No separate auth system. No API keys for your users. Sharing a wrap is sharing a document. The permissions travel with the link.
HTML, CSS, and JavaScript is the most represented language family in training data. Every website ever built is a training example. AI generates complete, working, interactive web apps from a description. Better and more reliably than any other stack.
WRAP leans into this. The format is plain HTML with no build step, no JSX, no TypeScript, no framework. The thing AI generates is the thing that ships. No compilation. No transpilation. The artifact is the source.
This is the age of micro-applications. Launching one should be as easy as creating a Word document.
The manifest makes wraps AI-native in both directions. AI generates them fluently because the output format is just HTML. AI consumes them fluently because the manifest is a structured contract: intent describes what the wrap does, tools describes what the wrap can do, data.schemas describes what data it contains. An agent scanning a directory of wraps can read every manifest, call summarize on each, and pipe one wrap's output into another's input. No scraping. No OCR. No guessing.
The openwrap MCP server gives AI agents full access to the platform: create projects, read and write files, publish, manage collaborators. Describe what you want and the AI builds it as a wrap.
The spec also defines tool types that don't need a runtime at all. A sql tool can be executed by anything that can parse HTML and run SQLite. A json tool operates on embedded data. A document tool extracts structured content from the DOM. Only runtime tools need JavaScript. This means CLI tools, MCP servers, and AI agents can interact with wraps instantly, no browser required.
A wrap ships as a single HTML file, but you don't have to write it as one. openwrap projects are normal directories: index.html, styles.css, app.js, data files, assets. Proper separation. Proper structure. The kind of project an AI agent (or a human) can actually navigate and reason about.
When you're ready to ship, the platform packs everything into a single self-contained HTML file. Styles inlined, scripts concatenated, data embedded, manifest wired up, bootloader included. The output is a valid wrap that opens in any browser, works offline, and carries its own data.
This is the key insight: AI is great at writing vanilla HTML, CSS, and JS across well-structured files. It's terrible at editing a 3,000-line monolith. The project format gives AI the structure it needs to collaborate effectively. The pack step gives you the portability of a single file. You get both.
Unpack works in reverse. Drop any wrap and get back the project directory. Inspect it. Fork it. Hand it to a different AI. The format round-trips cleanly.
A single HTML file can embed a SQLite database (via sql.js, ~1MB). A full Python runtime with numpy (via Pyodide). A WASM-compiled Rust program. GPU-accelerated 3D via WebGPU. Audio synthesis. Video playback. A file that looks like a document is an application.
wrap.store on the platform syncs across connected users. Multiplayer wraps.connectivity: "offline" work with no network. Download it, fly to Antarctica, open it. Works.wrap.store without breaking the author's signature.Every app you use is really just a document with behavior. A spreadsheet is a table that can compute. A dashboard is a report that can filter. A form is a checklist that can submit. But we build them backwards. We build the app, then export a dead snapshot. A PDF. A CSV. A screenshot.
Wraps invert this. The document is the application. Information can be organized spatially, hierarchically, conditionally. Any axis. A medical history organized by anatomy. A construction bill where clicking "electrical" expands into subcontractor bids. A contract where you scrub through time to see every amendment. A dataset that renders differently for the CFO, the PM, and the inspector.
AI generates millions of interactive things a day. Every one is trapped in a chat window with no metadata, no security model, no way to share it, no way for another AI to pick it up. Meanwhile, the documents people actually share were designed for printers. They can't compute. They can't respond to the reader. When AI tries to read them back, it's scraping. OCR on PDFs, guessing at table boundaries, losing context.
Apps generate documents. Wraps are documents that don't need the app.
The building blocks have been here for years. AI writes HTML fluently. WebAssembly makes a single file genuinely powerful. Every device has a browser. What was missing is the convention: a manifest, a security model, a tool interface. WRAP is that missing layer.
WRAP is the open file format. openwrap is the platform. The spec defines file structure, manifest schema, security tiers, module types, tool interfaces, state management, and error handling. The platform provides collaboration, hosting, AI authoring, and real-time sync. You can use the format without the platform. You can rename .wrap to .html and it opens in any browser.