@modelcontextprotocol/ext-apps 1.0.0 → 1.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (15) hide show
  1. package/README.md +158 -417
  2. package/dist/src/app-bridge.d.ts +14 -0
  3. package/dist/src/app-bridge.js +25 -8
  4. package/dist/src/app-with-deps.js +24 -7
  5. package/dist/src/app.d.ts +15 -21
  6. package/dist/src/app.js +26 -9
  7. package/dist/src/generated/schema.d.ts +9 -0
  8. package/dist/src/react/index.js +23 -6
  9. package/dist/src/react/react-with-deps.js +23 -6
  10. package/dist/src/react/useApp.d.ts +2 -2
  11. package/dist/src/server/index.d.ts +91 -18
  12. package/dist/src/server/index.js +25 -8
  13. package/dist/src/spec.types.d.ts +110 -13
  14. package/dist/src/styles.d.ts +12 -12
  15. package/package.json +3 -3
package/dist/src/generated/schema.d.ts CHANGED
@@ -56,6 +56,13 @@ export declare const McpUiSandboxProxyReadyNotificationSchema: z.ZodObject<{
56
56
  }, z.core.$strip>;
57
57
  /**
58
58
  * @description Content Security Policy configuration for UI resources.
59
+ *
60
+ * Servers declare which origins their UI requires. Hosts use this to enforce appropriate CSP headers.
61
+ *
62
+ * > [!IMPORTANT]
63
+ * > MCP App HTML runs in a sandboxed iframe with no same-origin server.
64
+ * > **All** origins must be declared—including where your bundled JS/CSS is
65
+ * > served from (`localhost` in dev, your CDN in production).
59
66
  */
60
67
  export declare const McpUiResourceCspSchema: z.ZodObject<{
61
68
  connectDomains: z.ZodOptional<z.ZodArray<z.ZodString>>;
@@ -65,6 +72,8 @@ export declare const McpUiResourceCspSchema: z.ZodObject<{
65
72
  }, z.core.$strip>;
66
73
  /**
67
74
  * @description Sandbox permissions requested by the UI resource.
75
+ *
76
+ * Servers declare which browser capabilities their UI needs.
68
77
  * Hosts MAY honor these by setting appropriate iframe `allow` attributes.
69
78
  * Apps SHOULD NOT assume permissions are granted; use JS feature detection as fallback.
70
79
  */