Documentation
¶
Index ¶
- Constants
- func DefaultSandboxCSP() string
- func EffectiveAppsPolicy(cfg spec.MCPServerConfig) spec.MCPAppsPolicy
- func IsAppMIMEType(mime string) bool
- func ToolVisibleToApp(info *spec.MCPToolAppInfo) bool
- func ToolVisibleToModel(info *spec.MCPToolAppInfo) bool
- func ValidateAppToolInvocation(cfg spec.MCPServerConfig, tool spec.MCPToolCapability, ...) error
Constants ¶
const ( // AppExtensionID is the MCP extension identifier for MCP Apps. AppExtensionID = "io.modelcontextprotocol/ui" // AppMIMEType is the required MIME type for an MCP Apps UI resource. AppMIMEType = "text/html;profile=mcp-app" VisibilityModel = "model" VisibilityApp = "app" )
Variables ¶
This section is empty.
Functions ¶
func DefaultSandboxCSP ¶
func DefaultSandboxCSP() string
DefaultSandboxCSP returns a restrictive CSP suitable for srcdoc iframes hosting untrusted MCP App HTML. With sandbox="allow-scripts" the iframe has a unique opaque origin, so 'self' refers to that opaque origin.
func EffectiveAppsPolicy ¶
func EffectiveAppsPolicy(cfg spec.MCPServerConfig) spec.MCPAppsPolicy
EffectiveAppsPolicy returns the configured policy or a safe default.
func IsAppMIMEType ¶
IsAppMIMEType returns true if mime is a valid MCP Apps MIME type, tolerating whitespace and additional parameters after the profile.
func ToolVisibleToApp ¶
func ToolVisibleToApp(info *spec.MCPToolAppInfo) bool
ToolVisibleToApp reports whether the tool may be called by an MCP App.
func ToolVisibleToModel ¶
func ToolVisibleToModel(info *spec.MCPToolAppInfo) bool
ToolVisibleToModel reports whether the tool can be exposed to the LLM. A nil/empty visibility list defaults to model+app, so unknown servers don't accidentally hide tools.
func ValidateAppToolInvocation ¶
func ValidateAppToolInvocation( cfg spec.MCPServerConfig, tool spec.MCPToolCapability, appServerID spec.MCPServerID, ) error
ValidateAppToolInvocation enforces the cross-server, visibility, and policy constraints for tool calls whose source is "app".
- serverID must match between the request and the app instance (the caller is responsible for passing the app's serverID).
- server.appsPolicy.enabled must be true.
- server.appsPolicy.allowAppInitiatedToolCalls must be true.
- The tool must declare "app" visibility (or omit visibility entirely).
Types ¶
This section is empty.