AR

Overview

This PR implements full support for MCP Apps (Model Context Protocol) as per the specification in #1301. It enables interactive UIs within the chat interface while maintaining strict security and performance standards.

Key Technical Changes

  • Secure Sandboxing: Implemented McpAppFrame React component with a strict sandbox="allow-scripts" iframe to prevent XSS and unauthorized access.
  • Dynamic Resizing: Added a ResizeObserver and postMessage bridge to ensure the iframe adapts perfectly to the content height without scrollbars.
  • Resource Proxying: Created a new authenticated backend endpoint to securely proxy ui:// resources, allowing MCP apps to load assets while maintaining auth headers.
  • Metadata Persistence: Updated the MCP and LLM gateways to ensure _meta fields are preserved throughout the tool call lifecycle.
  • Testing: Comprehensive unit test suite covering 22/22 scenarios (valid URIs, edge cases, and type guards).

Demo

https://www.youtube.com/watch?v=TYvf72gKCJU

Checklist

  • Code compiles and runs locally
  • All 22 shared utility tests passed
  • Sandbox security verified
  • Demo video included

Fixes #1301 /claim #1301

Claim

Total prize pool $900
Total paid $0
Status Pending
Submitted February 21, 2026
Last updated February 21, 2026

Contributors

SH

sharondrm

@sharondrm

 100%

Sponsors

AR

Archestra

@archestra-ai

$900