fix: remove CSP from tool metadata, keep on resource only#3754
Merged
Conversation
Per the MCP Apps spec, McpUiToolMeta only defines resourceUri and visibility. CSP belongs on the UIResourceMeta (the renderer resource), where we already set it correctly via _ensure_prefab_renderer. Closes #3735
jlowin
added
the
bug
marvin-context-protocol
Bot
added
the
mcp apps
jlowin
added
breaking change
|
Hi @jlowin , not sure if this change is working quite right. In MCP Inspector, I still see the And more importantly, still not seeing the customized For reference, my tool declaration is: |
jlowin
added a commit
that referenced
this pull request
Apr 10, 2026
Replaces the singleton ui://prefab/renderer.html with per-tool renderer resources synthesized on demand from the address registry. Each prefab tool gets a unique URI ui://prefab/tool/<hash>/renderer.html where the hash is deterministic from the tool's mount-point address. Nothing is materialized or stored: list_resources walks the registry and returns synthesized TextResource entries; read_resource intercepts matching URIs and produces fresh content + CSP from the tool's stored meta; list_tools rewrites tool meta via model_copy so the wire format exposes the per-tool URI without ever mutating the original Tool object. Closes the bug from PR #3754: PrefabAppConfig(csp=...) now actually applies to the rendered resource, all four *_domains fields are preserved (the old singleton silently dropped frame_domains and base_uri_domains), and CSP is stripped from the tool wire format where it never belonged. Closes #3735.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The MCP Apps spec defines
McpUiToolMetaas{resourceUri, visibility}only — CSP belongs onUIResourceMeta, not the tool. We were putting CSP on both the tool and the renderer resource; the resource was already correct, so this just strips the redundant CSP from the tool's_meta.ui.Two call sites:
_expand_prefab_ui_meta(auto-wired prefab tools) andFastMCPApp.ui()(explicit app tools). Both now buildAppConfigwith onlyresource_uri/visibility, matching the spec's tool interface.Note this is technically a breaking change though unused and undocumented.
Closes #3735