Skip to content

feat: limited MCP App support #10132

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
RomneyDa wants to merge 5 commits into
base: main
Choose a base branch
from
Open

feat: limited MCP App support #10132

RomneyDa wants to merge 5 commits into from

Conversation

@RomneyDa
Copy link
Collaborator

@RomneyDa RomneyDa commented Feb 2, 2026
edited
Loading

note, most new lines are in package lock. this is a 400 line PR

Adds MCP Apps support for continue

  • When tools load checks _meta for ui info, and after tool call reads UI resource and injects in iframe
  • There are a bunch of bugs when trying to use mcp-ui components within VS Code (or at least I couldn't figure it out) so I just made a fresh iframe
  • Supports limited app interactivity
    • open link
    • add message to chat and stream
    • call tool (for now only works for tools from the same mcp server)
    • log to console
  • Not supported yet
    • list resources
    • read resource
    • update model context

Example MCP configs to test:

{
  "mcpServers": {
    "threejs": {
      "command": "npx",
      "args": [
        "-y",
        "--silent",
        "--registry=https://registry.npmjs.org/",
        "@modelcontextprotocol/server-threejs",
        "--stdio"
      ]
    }
  }
}
image 
{
  "mcpServers": {
    "basic-react": {
      "command": "npx",
      "args": [
        "-y",
        "--silent",
        "--registry=https://registry.npmjs.org/",
        "@modelcontextprotocol/server-basic-react",
        "--stdio"
      ]
    }
  }
}
image

Continue Tasks: ▶️ 1 queued — View all

Summary by cubic

Adds MCP App support so MCP tools can render interactive UIs inside Continue. The UI is loaded from the tool’s MCP UI resource and shown in a secure iframe with a postMessage bridge.

  • New Features

    • Loads UI from tool _meta.ui.resourceUri or _meta["ui/resourceUri"], fetches via MCP readResource, and renders in a srcdoc iframe using ext-apps AppBridge/PostMessage with CSP/permission hints and auto-resizing.
    • Supports: open links, send chat messages (streamed), call tools from the same MCP server, and console logging.
    • Tool pipeline updates: callTool returns mcpUiState; session stores it; ToolCallDiv renders McpAppRenderer when present; added MCPConnection.getResource and mcpMeta plumbing.
    • Current limitations: listing/reading resources and updating model context are not supported yet.

  • Dependencies

    • Added @modelcontextprotocol/ext-apps to core and gui.

Written for commit ab680d0. Summary will update on new commits.

@RomneyDa RomneyDa requested a review from a team as a code owner February 2, 2026 18:38
@RomneyDa RomneyDa requested review from Patrick-Erichsen and removed request for a team February 2, 2026 18:38
@dosubot dosubot bot added the size:XL This PR changes 500-999 lines, ignoring generated files. label Feb 2, 2026
@RomneyDa RomneyDa changed the title feat: MCP App support feat: limited MCP App support Feb 2, 2026
@github-actions
Copy link

github-actions bot commented Feb 2, 2026
edited
Loading

✅ Review Complete

Code Review Summary

⚠️ Continue API authentication failed. Please check your CONTINUE_API_KEY.

cubic-dev-ai[bot]
cubic-dev-ai bot reviewed Feb 2, 2026
View reviewed changes
Copy link
Contributor

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

2 issues found across 17 files

Prompt for AI agents (all issues) 

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name="gui/src/pages/gui/ToolCallDiv/MCPAppRenderer.tsx">

<violation number="1" location="gui/src/pages/gui/ToolCallDiv/MCPAppRenderer.tsx:129">
P1: The iframe renders MCP-provided HTML via srcDoc and enables "allow-same-origin" with scripts, which removes the opaque origin normally provided by sandboxing. This lets untrusted MCP HTML run scripts with same-origin access to the parent webview (window.parent/DOM), defeating isolation. Unless same-origin access is strictly required, drop allow-same-origin or gate it to trusted content.</violation>

<violation number="2" location="gui/src/pages/gui/ToolCallDiv/MCPAppRenderer.tsx:223">
P2: Successful tool calls are always marked as errors because `isError` is hardcoded to `true` after the success path.</violation>
</file>

Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.

@RomneyDa RomneyDa mentioned this pull request Feb 2, 2026
Open
9 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

@Patrick-Erichsen Patrick-Erichsen Awaiting requested review from Patrick-Erichsen Patrick-Erichsen is a code owner automatically assigned from continuedev/continue-code-reviewers

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

size:XL This PR changes 500-999 lines, ignoring generated files.

Projects

Issues and PRs
Status: Todo

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@RomneyDa