feat: add MCP Apps (SEP-1865) support#1335
Merged
Merged
Conversation
Contributor
Author
|
@copilot resolve the merge conflicts in this pull request |
Copilot stopped work on behalf of
mattdholloway due to an error
May 19, 2026 16:07
Adds opt-in 'enableMcpApps' session capability that advertises the
'extensions.io.modelcontextprotocol/ui' extension to MCP servers and
exposes 'session.rpc.mcp.apps.*' JSON-RPC methods.
Node SDK gains two pure helpers for hosts rendering 'ui://' MCP App
bundles in iframes:
- buildMcpAppsCspHeader — constructs the Content-Security-Policy header
per SEP-1865 §UI Resource Format + §Security Implications, including
the restrictive default ('connect-src none') when '_meta.ui.csp' is
absent and constructed defaults ('connect-src self', etc.) when it is
declared.
- buildMcpAppsAllowAttribute — maps '_meta.ui.permissions' to the iframe
'allow' attribute (Permission Policy).
Co-authored-by: Copilot <[email protected]>
mattdholloway
force-pushed
the
feat/mcp-apps-support
branch
from
5f12d41 to
0827b5a
Compare
This comment has been minimized.
This comment has been minimized.
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Generated by SDK Consistency Review Agent for issue #1335 · ● 793.2K
Copilot stopped work on behalf of
mattdholloway due to an error
May 20, 2026 09:40
Mirror nodejs enableMcpApps across the other four SDKs so hosts using them can opt into MCP Apps (SEP-1865) UI passthrough by sending requestMcpApps on session.create / session.resume. - python: enable_mcp_apps kwarg on create_session / resume_session - go: EnableMcpApps field on SessionConfig / ResumeSessionConfig - dotnet: EnableMcpApps property on SessionConfig / ResumeSessionConfig - rust: request_mcp_apps field + with_request_mcp_apps builder Co-authored-by: Copilot <[email protected]>
Co-authored-by: Copilot <[email protected]>
This comment has been minimized.
This comment has been minimized.
Port the CSP directive injection defense from copilot-agent-runtime PR #7605 into the SDK. Without sanitization, an MCP server returning `frameDomains: ['evil.com; form-action *']` could break out of one CSP directive and inject sibling directives (CSP first-occurrence rule then lets an earlier injected `script-src *` win). Each server-supplied entry is now: - rejected if it contains CSP metacharacters ([;,\\s'"\\\\]) - accepted verbatim for the bare-scheme allowlist (data:, blob:, mediastream:, filesystem:) - otherwise parsed via URL and canonicalized to its origin; opaque origins (where `URL.origin` is the literal string 'null') are dropped Adds 10 sanitization tests mirroring runtime PR coverage. Co-authored-by: Copilot <[email protected]>
Reflect the runtime-side gate added in copilot-agent-runtime PR #7605: requestMcpApps is now honored server-side only when the MCP_APPS feature flag or COPILOT_MCP_APPS=true env override is set; otherwise the opt-in is silently dropped (the runtime logs a warning, but the SDK consumer sees nothing). Update the JSDoc / docstrings on Node, Go, .NET, and Rust to document this and to point at capabilities.ui.mcpApps on the create/resume response as the way to detect the silent drop. Also adds the diagnose method to the enumerated mcp.apps.* RPCs. Co-authored-by: Copilot <[email protected]>
This comment has been minimized.
This comment has been minimized.
Expose the runtime's response capability so consumers can detect when their enableMcpApps opt-in was silently dropped by the runtime gate (MCP_APPS feature flag / COPILOT_MCP_APPS env override unset). For each SDK: - Add mcpApps?: bool to the SessionUiCapabilities type - After session.create / session.resume, if the consumer requested the opt-in but capabilities.ui.mcpApps is not true on the response, log a warning (console.warn / logger.warning / slog / tracing::warn / fmt.Fprintf(os.Stderr, ...)) so the silent drop is discoverable. Co-authored-by: Copilot <[email protected]>
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
This comment has been minimized.
This comment has been minimized.
- python: ruff format reflowed the new _warn_if_mcp_apps_dropped helper - rust: tests/e2e/elicitation.rs constructs UiCapabilities as a struct literal; the new mcp_apps field made it non-exhaustive Co-authored-by: Copilot <[email protected]>
This comment has been minimized.
This comment has been minimized.
…t-logging CodeQL flags any value flowing from process.env as sensitive via taint analysis (joinSession() reads process.env.SESSION_ID which propagates to resumeSession's sessionId argument). The session ID is a UUID and not actually sensitive, but the alert noise is not worth it -- the warning is per-call so the consumer already knows which session triggered it. Co-authored-by: Copilot <[email protected]>
Contributor
Author
|
@copilot resolve the merge conflicts in this pull request |
Copilot stopped work on behalf of
mattdholloway due to an error
May 21, 2026 11:45
# Conflicts: # dotnet/src/Types.cs
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
Contributor
Author
|
@copilot resolve the merge conflicts in this pull request |
Co-authored-by: mattdholloway <[email protected]>
Contributor
Merged |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
Co-authored-by: Copilot <[email protected]>
This comment has been minimized.
This comment has been minimized.
- Fix broken @link in Java SessionConfig (com.github.copilot.sdk.CopilotSession -> com.github.copilot.CopilotSession) - Revert stray mode change on .githooks/pre-commit (100755 -> 100644) - Rust: make enable_mcp_apps Option<bool> for consistency with sibling opt-ins (e.g. enable_config_discovery) - Python: remove stray blank line after logger init in client.py - Drop incorrect 'the SDK also logs a warning' wording from Python docstrings (the SDK no longer emits a warning; only the runtime does) Co-authored-by: Copilot <[email protected]>
Mark the new SEP-1865 MCP Apps public APIs as experimental across .NET, Node, Python, Go and Rust SDKs, following each SDK's existing convention (e.g. canvas surface): - .NET: [Experimental(Diagnostics.Experimental)] on SessionConfigBase.EnableMcpApps and SessionUiCapabilities.McpApps. No #pragma needed at internal call sites because GHCP001 is in the project's NoWarn. - Node: @experimental JSDoc tag on SessionConfigBase.enableMcpApps and SessionCapabilities.ui.mcpApps. - Python: **Experimental.** lead-in on enable_mcp_apps parameter docstrings (create_session, resume_session) and SessionUiCapabilities.mcpApps. - Go: // Experimental: ... doc lines on SessionConfig.EnableMcpApps, ResumeSessionConfig.EnableMcpApps and UICapabilities.McpApps. - Rust: **Experimental.** first paragraph on SessionConfig.enable_mcp_apps, ResumeSessionConfig.enable_mcp_apps, with_enable_mcp_apps (x2) and UiCapabilities.mcp_apps. Java is intentionally skipped — the repo has no precedent for marking Java APIs as experimental, so introducing a convention here is out of scope for this commit. Co-authored-by: Copilot <[email protected]>
…ield Match the surrounding request_* bool fields (request_user_input, request_permission, request_exit_plan_mode, request_auto_mode_switch, request_elicitation, hooks) which all serialize unconditionally. Snapshots don't capture these fields so there is no compatibility cost. Co-authored-by: Copilot <[email protected]>
SteveSandersonMS
approved these changes
May 28, 2026
Contributor
SteveSandersonMS
left a comment
SteveSandersonMS
left a comment
There was a problem hiding this comment.
Thanks @mattdholloway! Will merge when checks pass.
Co-authored-by: Copilot <[email protected]>
Contributor
Cross-SDK Consistency Review ✅This PR implements
API naming follows language conventions — camelCase (Node/Java), snake_case (Python/Rust), PascalCase (Go/.NET). Wire protocol is consistent — all SDKs send No cross-SDK consistency issues found.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds opt-in MCP Apps (SEP-1865) support across all SDKs: a new
enableMcpAppssession flag and regenerated RPC/session-event types.Changes
enableMcpAppsopt-in (SessionConfig+ResumeSessionConfigin all SDKs) — plumbed to wire fieldrequestMcpApps. Defaults tofalse; hosts without an iframe renderer are unaffected.capabilities.ui.mcpAppson the create/resume response to detect whether the runtime honored the opt-in