> ## Documentation Index
> Fetch the complete documentation index at: https://docs.pipeline.software/llms.txt
> Use this file to discover all available pages before exploring further.

# SDK Include

> How to load the Pipeline SDK in your tool.

Add this script tag to your entry HTML file:

```html theme={null}
<script src="/bridge/sdk.js"></script>
```

The SDK creates a `window.pipeline` namespace with all available methods. All methods return Promises.
The SDK waits internally for the bridge to be ready — you do not need to poll or delay before calling methods.

## Namespaces

The current SDK (v2.1.0) exposes:

```javascript theme={null}
window.pipeline.context.get()
window.pipeline.customers.list({ page, pageSize })
window.pipeline.products.list({ page, pageSize })
window.pipeline.taskTemplates.list({ codes, page, pageSize })   // since v2.1.0
window.pipeline.costItems.list({ codes, page, pageSize })       // since v2.1.0
window.pipeline.jobs.list({ page, pageSize })
window.pipeline.quotes.list({ page, pageSize })
window.pipeline.quotes.create(request)
window.pipeline.quotes.addLines(lines)                          // quoting_extension only
```

`window.pipeline.version` reports the SDK version string at runtime.

## Runtime environment

Marketplace tools run inside a sandboxed iframe. A few host constraints to design around:

### Native modals are blocked

`alert()`, `confirm()`, and `prompt()` are silently ignored — the iframe is sandboxed
without the `allow-modals` capability. Calls to these functions log a warning to the
DevTools console and return immediately without showing anything to the user.

**Use in-page UI for all user feedback instead:**

* For ephemeral confirmations and errors, render a toast (a small, non-interactive
  div positioned `fixed; bottom: 1rem; right: 1rem;` that auto-hides after 2-3 seconds).
* For persistent warnings (e.g. "couldn't reach Pipeline catalogue, submit unavailable"),
  render a banner at the top of the tool with an inline retry button.
* For destructive confirmations (e.g. "clear all rows?"), use a two-click pattern:
  the first click changes the button label to "Click again to confirm" for a few
  seconds, the second click commits.

### Storage

The host does not expose a persistent-storage API to extensions. Use standard
[`localStorage`](https://developer.mozilla.org/en-US/docs/Web/API/Window/localStorage)
for tool-side preferences (pricing, defaults, the operator's last-used settings).
Storage is scoped to the iframe origin, which is per-tool.

Do **not** persist the in-progress quote in `localStorage` — Pipeline owns the quote.
Submit-or-discard is the expected lifecycle.

### XSS hygiene

If you build HTML via template strings (`element.innerHTML = \`...\`\`), escape every
interpolated user-supplied value. A 6-line helper is enough:

```javascript theme={null}
function escHtml(s) {
  return String(s == null ? "" : s)
    .replaceAll("&", "&amp;").replaceAll("<", "&lt;").replaceAll(">", "&gt;")
    .replaceAll('"', "&quot;").replaceAll("'", "&#39;");
}
```

Apply it to anything the operator typed (notes, location names, free-text
specifications) and to anything coming back from `customers.list` or `products.list`
(supplier names, descriptions). Numeric and boolean values are safe.