Give your AI coding agent a publish-HTML button (with MCP)

Steve Smith — Sat, 06 Jun 2026 22:22:54 +0000

Your coding agent writes HTML all day. A quick dashboard to eyeball some data. A PR writeup with a rendered diff. A status report, a Mermaid diagram, a one-off internal tool. Then what? You screenshot it into Slack, paste it into a gist, or spin up a Vercel project for a file you will delete tomorrow.

There is a verb missing from the agent toolbox: publish. Not deploy. Publish. One file in, one private URL out.

This post is about how to add that verb to any MCP-compatible agent, why "private by default" matters more than it sounds, and what the publish primitive looks like in practice.

The shape of the problem

A deploy is a project. It expects a repo, a build, a config, a domain. That is the right amount of ceremony for a product and far too much for the artifact-shaped output an agent emits dozens of times a session.

What an agent actually needs is closer to a paste-bin with teeth:

It writes a file. It gets back a URL. No project, no build step.
The URL is private by default, because agent output routinely embeds real data: API responses, customer rows, the prompt context itself.
When the agent revises the artifact, the same URL updates in place. You do not want 30 links from 30 iterations.

The Model Context Protocol (MCP) is the clean way to expose exactly this. If you have not used MCP, the one-line version: it is the standard every major AI assistant now speaks for calling tools, so a tool you expose once works in Claude Code, Cursor, Codex, Claude.ai, and the rest. (Longer primer: https://stacktr.ee/blog/mcp-servers-explained-for-developers)

The publish tool, conceptually

A publish-oriented MCP server needs one core tool and a few supporting ones. In MCP terms the action is a tool (model-controlled), the list of what you have published is a resource (the client reads it), and a saved "publish this privately" flow is a prompt (the user invokes it). If that tools/resources/prompts split is new to you, here is the breakdown: https://stacktr.ee/blog/mcp-resources-vs-tools-vs-prompts

The tool call itself is mundane, which is the point:

// the agent calls:
publish_html({ file: "dashboard.html" })

// it gets back:
{ "url": "https://stacktr.ee/p/3f9a2c7b1e", "expires": "24h" }

That is the whole interaction. The agent hands you a link. You send it to a teammate, who opens it with no account and no login.

Why "private by default" is the real feature

Public-by-default hosting made sense when humans hand-published finished pages. It is the wrong default for machine-generated HTML, because the agent does not pause to ask whether this particular file contains anything sensitive. It usually does.

Private by default flips the burden. The URL is unguessable, so the link itself is the credential. There is no directory listing, no search indexing, no crawl. If you need more, you add a layer: a shared password, or an email-domain gate so only @yourco.com addresses can open it. For the genuinely sensitive case, end-to-end encryption keeps the host from ever seeing plaintext.

None of that requires the agent to make a judgment call. The safe thing is the default thing.

Try it in one command

I build Stacktree, which is one implementation of this primitive: an MCP server for publishing HTML, private by default. Wiring it into your agent is a single command:

npx stacktree-install

It detects Claude Code, Cursor, Codex, OpenCode, and Amp, writes the MCP config for each, and the publish tools show up in your agent automatically. The first publish is anonymous and the link lives 24 hours, so you can prove it out before you even make an account.

It is MIT-licensed on the client side and listed in the official MCP registry as ee.stacktr/publish. Source for the server package: https://github.com/stevysmith/stacktree-mcp

The broader point

Whether or not you use Stacktree, the pattern is worth internalizing: as agents generate more artifacts, the missing infrastructure is not more compute or a fancier framework. It is small, sharp primitives that fit the agent loop. Publish is one of them. A file goes in, a private link comes out, and the agent can replace it in place when it iterates.