If a tool call that has an associated MCP App resource needs approval, then the behavior is strange: the UI is shown, and the tool call arguments are passed to it via a ui/notifications/tool-input, but the tool isn't actually called until the user approves it.

This is problematical on a couple of levels

• It's very confusing to the user - after the model called the tool, something has already happened, but they are being asked to approve the tool call.
• The UI resource is likely in a half-filled state - while this is a normal transient state, it's again going to be confusing to the user what is going on.
• The resource can make external network connections as allowed in its configuration, and act on or exfiltrate the tool call input parameters

To Reproduce
Steps to reproduce the behavior:

1. Run https://github.com/modelcontextprotocol/ext-apps/tree/main/examples/wiki-explorer-server (npm run dev) and add it as a goose extension
2. Try to use it via the model
3. The UI is displayed, in a partially initialized state, and the permission request is after that
4. When the user approves the tool call, the UI finishes initialization and the model receives the tool call results

Expected behavior
The user's permission is requested before the UI resource is displayed.

Screenshots
If applicable, add screenshots to help explain your problem.

Before approval:

After approval:

(OTOH if the UI only needs the tool inputs and not the response, like say, https://github.com/modelcontextprotocol/ext-apps/tree/main/examples/sheet-music-server then the user will be even more puzzled by the approval prompt.)

Please provide the following information

• OS & Arch: Any
• Interface: UI
• Version: v1.19.1
• Extensions enabled: None
• • Provider & Model: Any