docs(spec): clarify ui.domain is host-dependent

Update the spec to clarify that:
- ui.domain format and validation rules are host-dependent
- Servers must consult host-specific documentation for expected format
- Common patterns: hash-based subdomains, URL-derived subdomains
- Updated examples to reflect realistic host-controlled domains

This addresses the gap between the spec's previous implied flexibility
(arbitrary domains like weather-widget.example.com) and real-world
constraints where hosts must control sandbox domains for security.

Author: ochafik

specification/draft/apps.mdx

@@ -195,15 +195,23 @@ interface UIResourceMeta {
     clipboardWrite?: {},
   },
   /**
-   * Dedicated origin for widget
+   * Dedicated sandbox origin for widget
    *
    * Optional domain for the widget's sandbox origin. Useful when widgets need
-   * dedicated origins for API key allowlists or cross-origin isolation.
+   * stable, dedicated origins for OAuth callbacks or API key allowlists.
    *
-   * If omitted, Host uses default sandbox origin.
+   * **Host-dependent:** The format and validation rules for this field are
+   * determined by each host. Servers MUST consult host-specific documentation
+   * for the expected domain format. Common patterns include:
+   * - Hash-based subdomains (e.g., `{hash}.claudemcpcontent.com`)
+   * - URL-derived subdomains (e.g., `www-example-com.oaiusercontent.com`)
    *
+   * If omitted, Host uses default sandbox origin (typically per-conversation).
+   *
+   * @example
+   * "a904794854a047f6.claudemcpcontent.com"
    * @example
-   * "https://weather-widget.example.com"
+   * "www-example-com.oaiusercontent.com"
    */
   domain?: string,
   /**