The PR stays open for now as the reference.
Wave 1 (parallel): 1556 1557 1558 1559 1560 1561 1562 1563 1564 1548
│ │ │ │ │ │ │
┌────────────────┘ │ │ │ │ │ │
│ Apps host lane │ │ │ │ CLI lane │ │
│ │ 1565 │ │ 1573 │
│ │ │ │ │ │ │
│ │ 1566 ◄──┼─────┼──── (csp lib 1558) │ │
│ │ ┌─┼──┬──┴──┬──┘ │ │
│ │ 1570│1571 1569 1574 ◄──┼── 1556, 1557
│ │ │ │ │
│ │ 1567 (hostContext 1559) 1575 ◄──┴── 1548
│ │ │ │
│ │ 1568 │
│ │ 1572 ──────────────┐ │
└──────────────────────┴──────────────────────┼──────────────────┘
Wave 4: 1576 ──► 1577 ──► 1578
Background
PR #1510 (@tobinsouth) is a valuable roll-up of gaps hit while using the inspector as the reference host for testing widgets against the
@modelcontextprotocol/ext-appsspec — plus a CLI/deep-link path for programmatic review. At +6,551/−453 across 61 files it touches a large amount of code we already have confidence in ahead of the v2 beta, so rather than merging it wholesale we are decomposing it into scoped issues and re-implementing each one deliberately, using the PR's diff (head33fac3f) as the reference implementation. Each sub-issue links the relevant files/symbols in the PR.The PR stays open for now as the reference.
Sub-issues
Wave 1 — Foundations (no interdependencies; all 10 can be worked in parallel, e.g. with concurrent subagents — disjoint file sets)
AppInfo+extractAppInfo()(core/mcp/apps.ts)mcp_app_demopreset +_metaplumbinglib/sandbox-csp.ts)AppRenderer/hostContext.ts)downloadFile.tsenhancementsgenerateOAuthStateWebCrypto-only; callback rejects badstateHTTPS_PROXY/HTTP_PROXY/NO_PROXYsupport in the Node transportRemoteOAuthStorage+ async hydration (pre-existing issue — PR feat(web/apps): spec-conformant Apps host + CLI/deep-link path for programmatic review #1510 contains a complete reference implementation)client_secret/code/refresh_token/access_tokenin OAuth request/response bodies & URLs; to be done this wave, tracked in the MCP Apps Extension column)clients/web/src/lib/**under the vitest coverage include globs (follow-up surfaced by the feat(web): downloadFile.ts enhancements (downloadBlob, fileNameFromUri, isHttpUrl) #1586/feat(web): add sandbox CSP builder library (closes #1558) #1588/Web: migrate auth store to shared /store API (RemoteOAuthStorage parity with TUI/CLI) #1592 smoke-audit —src/libis absent fromcoverage.include, sodownloadFile.ts/sandbox-csp.ts/remoteOAuthStorage.tsaren't gate-enforced; feat(web): add sandbox CSP builder library (closes #1558) #1588 worked around it per-file; Backlog — blocked until the Wave-1src/libPRs merge)test:coverageintermittently fails on ServerConfigModal/InspectorView/PromptArgumentsForm/import-modals/useServers/inspectorClient under instrumented load; zero-flake requirement; MCP Apps Extension column)Wave 2 — Apps host lane (sequential within the lane — shared
createAppBridgeFactory.ts/AppRenderer.tsx/AppsScreen.tsx; runs in parallel with Wave 3)frame-ancestors_meta.ui.csp+ surface resource-read failures (needs web: sandbox CSP builder library (lib/sandbox-csp.ts) #1558, web: sandbox hardening — opaque-origin inner frame, srcdoc-only delivery, frame-ancestors CSP #1565)host-context-changed(needs web: extract hostContext utilities for the Apps host (AppRenderer/hostContext.ts) #1559, web: enforce per-app _meta.ui.csp in the app bridge + surface resource-read failures #1566)size-changed+request-display-mode(needs web: full hostContext delivery + live host-context-changed updates #1567)ui/download-file(needs web: downloadFile.ts enhancements (downloadBlob, fileNameFromUri, isHttpUrl) #1560, web: enforce per-app _meta.ui.csp in the app bridge + surface resource-read failures #1566)ui/message+ App-logs panels (needs web: enforce per-app _meta.ui.csp in the app bridge + surface resource-read failures #1566)Wave 3 — CLI lane (sequential within the lane — shared
cli.ts; runs in parallel with Wave 2)--method initialize,--tool-args-json,--connect-timeout, env-var fixes (needs cli: exit-code map + structured JSON error envelopes #1564)--app-infoprobe +--format jsonenvelope (needs core: add AppInfo + extractAppInfo() to core/mcp/apps.ts #1556, test-servers: mcp_app_demo preset + _meta support on tool/resource definitions #1557, cli: exit-code map + structured JSON error envelopes #1564, cli: programmatic ergonomics — --method initialize, --tool-args-json, --connect-timeout, env-var fixes #1573)Wave 4 — Integration (after both lanes)
?autoConnect=truequery param to connect on page load #1183)openApp/appArgs/autoOpen(needs web: deep-link auto-connect (?serverUrl&transport&autoConnect) + machine-readable connection status #1576, web: app lifecycle status + machine-readable data attributes on the Apps screen #1572)Dependency graph
(1572 feeds 1577; 1576 also informs 1575's
--print-handofflink format.)Parallelization with subagents
AppRenderer.tsx/AppsScreen.tsx/createAppBridgeFactory.ts, Wave 3 items all editcli.ts, so concurrent edits would conflict.#1576 → #1577 → #1578).Process notes
33fac3f— re-implement informed by the contribution, don't cherry-pick blindly; each PR must meet AGENTS.md rules (per-file ≥90 coverage on all four dimensions, Mantine theme/withProps rules, README updates, noany).v2/mainwith thev2label, In Review.