feat: add MCP Apps (SEP-1865) support

[mattdholloway]

Adds opt-in MCP Apps (SEP-1865) support to the SDK.

What

• New enableMcpApps session capability (SessionConfig + ResumeSessionConfig). When true, the runtime advertises the extensions.io.modelcontextprotocol/ui extension to MCP servers and exposes the session.rpc.mcp.apps.{listTools,callTool,readResource,setHostContext,getHostContext} JSON-RPC methods. Defaults to false so hosts without an iframe renderer don't accidentally register UI-enabled tool variants they can't display.
• Two new pure helpers in the Node SDK for hosts that render ui:// MCP App bundles in iframes:
  • buildMcpAppsCspHeader(csp) — builds the Content-Security-Policy header per SEP-1865 §UI Resource Format + §Security Implications. Emits the restrictive default (connect-src 'none') when _meta.ui.csp is absent, and the constructed default (connect-src 'self' + declared domains, etc.) when it is declared (even with empty arrays).
  • buildMcpAppsAllowAttribute(permissions) — maps _meta.ui.permissions to the iframe allow attribute (Permission Policy), including the hyphenated clipboard-write name.
• Regenerated RPC/session-event types across Node, Python, Go, .NET, and Rust to pick up the new schema.

 sequenceDiagram
     autonumber
     participant Host as Host App
     participant SDK as Copilot SDK
     participant Sandbox as mcpAppsSandbox helpers
     participant Conn as JSON-RPC Connection
     participant Runtime as Copilot Runtime
     participant Iframe as ui iframe
 
     Note over Host,Runtime: 1. Opt-in via SDK config
     Host->>SDK: createSession({ enableMcpApps: true })
     SDK->>Conn: session.create { ..., requestMcpApps: true }
     Conn->>Runtime: JSON-RPC request
     Runtime-->>Conn: CreateSessionResponse
     Conn-->>SDK: response
     SDK-->>Host: CopilotSession
 
     Note over Runtime,Host: 2. Tool execution events forwarded unchanged
     Runtime-->>Conn: tool.execution_complete { uiResource, toolDescription._meta.ui }
     Conn-->>SDK: SessionEvent (untyped pass-through)
     SDK-->>Host: onEvent(event)
 
     Note over Host,Iframe: 3. Host builds sandboxed iframe using SDK helpers
     Host->>Sandbox: buildMcpAppsCspHeader(uiResource._meta.ui.csp)
     Sandbox-->>Host: CSP header value
     Host->>Sandbox: buildMcpAppsAllowAttribute(uiResource._meta.ui.permissions)
     Sandbox-->>Host: allow attribute value
     Host->>Iframe: render with CSP + allow + uiResource
 
     Note over Iframe,Runtime: 4. App-to-server RPCs (no typed SDK surface)
     Iframe->>Host: postMessage RPC
     Host->>Conn: raw JSON-RPC: session.rpc.mcp.apps.{listTools|callTool|readResource}
     Conn->>Runtime: forwarded
     Runtime-->>Conn: result (+ optional ephemeral mcp_app.tool_call_complete event)
     Conn-->>SDK: SessionEvent (untyped pass-through, callTool only)
     SDK-->>Host: onEvent(event)
     Conn-->>Host: RPC response
     Host-->>Iframe: postMessage response
 
     Note over Host,Runtime: 5. Resume preserves opt-in
     Host->>SDK: resumeSession({ enableMcpApps: true })
     SDK->>Conn: session.resume { ..., requestMcpApps: true }

Loading

Closes https://github.com/github/copilot-mcp-core/issues/1715
Depends on https://github.com/github/copilot-agent-runtime/pull/7605

[mattdholloway]

@copilot resolve the merge conflicts in this pull request

[github-actions]

Generated by SDK Consistency Review Agent for issue #1335 · ● 793.2K

[mattdholloway]

@copilot resolve the merge conflicts in this pull request

[github-actions]

Cross-SDK Consistency Review

I reviewed this PR across all five SDK implementations (Node.js, Python, Go, .NET, Rust) for feature parity and API consistency.

✅ Consistent across all SDKs

Feature	Node.js	Python	Go	.NET	Rust
enableMcpApps/enable_mcp_apps/EnableMcpApps/request_mcp_apps in SessionConfig	enableMcpApps?: boolean	enable_mcp_apps: bool = False	EnableMcpApps bool	EnableMcpApps on SessionConfigBase	request_mcp_apps: Option<bool>
Same field in ResumeSessionConfig	✓ (via Pick)	✓ (parameter)	✓	✓ (via SessionConfigBase)	✓
mcpApps/mcp_apps/McpApps in UICapabilities	✓	✓	✓	✓	✓
warnIfMcpAppsDropped helper	✓ console.warn	✓ logger.warning	✓ fmt.Fprintf(os.Stderr)	✓ _logger?.LogWarning	✓ tracing::warn!
requestMcpApps on wire request	✓ (always sends bool)	✓ (always sends bool)	✓ (only when true)	✓ (only when true)	✓ (only when true)

The core enableMcpApps session capability is consistently implemented across all five SDKs with idiomatic naming in each language. The warning helper is consistently present everywhere.

🟡 Intentionally Node.js-only: buildMcpAppsCspHeader / buildMcpAppsAllowAttribute

These iframe sandboxing helpers (nodejs/src/mcpAppsSandbox.ts) are explicitly described in the PR as "Node SDK helpers for hosts that render ui:// MCP App bundles in iframes." This is reasonable for an initial implementation since Node.js is the most common language for web hosting layers.

However, Python and Go are also widely used for web server development (e.g., FastAPI/Flask backends, Go HTTP servers), and these pure string-building functions would be equally valuable there. Consider a follow-up to port these helpers to Python and Go, since hosts built on those runtimes would also need to construct CSP headers and allow attributes when serving MCP App iframes.

Minor observation: requestMcpApps wire format

• Node.js / Python: always serializes the field (sends false/False when disabled)
• Go / .NET / Rust: only serializes when true (omitted when disabled)

This mirrors the pre-existing pattern for requestElicitation and other capability flags in each SDK, so it's not a new inconsistency. All servers treat absent and false identically.

---

Summary: The PR maintains strong cross-SDK consistency on the core feature. The only gap to consider for follow-up is porting the CSP/permission-policy sandbox helper functions to Python and Go for web-server use cases.

Generated by SDK Consistency Review Agent for issue #1335 · ● 500.9K · ◷