From e5b1c8a2bc79066190c0196acf44176eb7f88af0 Mon Sep 17 00:00:00 2001
From: Andrew Harvard <aharvard@squareup.com>
Date: Fri, 20 Mar 2026 15:56:43 -0400
Subject: [PATCH 1/5] feat: support ui/update-model-context for MCP Apps

Implement the ui/update-model-context method from the MCP Apps
specification, allowing MCP App views to push context updates to the
host agent without triggering immediate action.

Context updates are stored in-memory (last-write-wins per app key) and
injected alongside MOIM as a synthetic user message on the next agent
turn, giving the model awareness of app state.

- Add McpAppContext store on Agent with update/collect methods
- Add /agent/update_model_context server endpoint
- Integrate with MOIM injection in moim.rs
- Handle ui/update-model-context in McpAppRenderer
- Add 7 unit tests covering store, overwrite, collect, and injection

Signed-off-by: Andrew Harvard <aharvard@squareup.com>
Co-authored-by: Goose <opensource@block.xyz>
Ai-assisted: true
---
 crates/goose-server/src/openapi.rs            |   2 +
 crates/goose-server/src/routes/agent.rs       |  49 +++++++
 crates/goose/src/agents/agent.rs              | 132 ++++++++++++++++++
 crates/goose/src/agents/mod.rs                |   4 +-
 crates/goose/src/agents/moim.rs               |  79 ++++++++++-
 ui/desktop/openapi.json                       |  61 ++++++++
 ui/desktop/src/api/index.ts                   |   4 +-
 ui/desktop/src/api/sdk.gen.ts                 |  11 +-
 ui/desktop/src/api/types.gen.ts               |  39 ++++++
 .../src/components/McpApps/McpAppRenderer.tsx |  30 +++-
 10 files changed, 399 insertions(+), 12 deletions(-)

diff --git a/crates/goose-server/src/openapi.rs b/crates/goose-server/src/openapi.rs
index eec8aeefe2ac..66e0cc95adf6 100644
--- a/crates/goose-server/src/openapi.rs
+++ b/crates/goose-server/src/openapi.rs
@@ -425,6 +425,7 @@ derive_utoipa!(Icon as IconSchema);
         super::routes::agent::get_tools,
         super::routes::agent::read_resource,
         super::routes::agent::call_tool,
+        super::routes::agent::update_model_context,
         super::routes::agent::list_apps,
         super::routes::agent::export_app,
         super::routes::agent::import_app,
@@ -640,6 +641,7 @@ derive_utoipa!(Icon as IconSchema);
         super::routes::agent::ReadResourceResponse,
         super::routes::agent::CallToolRequest,
         super::routes::agent::CallToolResponse,
+        super::routes::agent::UpdateModelContextRequest,
         ContentBlockSchema,
         super::routes::agent::ListAppsRequest,
         super::routes::agent::ListAppsResponse,
diff --git a/crates/goose-server/src/routes/agent.rs b/crates/goose-server/src/routes/agent.rs
index 392a00e3db38..6229e783b85a 100644
--- a/crates/goose-server/src/routes/agent.rs
+++ b/crates/goose-server/src/routes/agent.rs
@@ -169,6 +169,18 @@ pub struct CallToolResponse {
     _meta: Option<Value>,
 }
 
+#[derive(Deserialize, utoipa::ToSchema)]
+#[serde(rename_all = "camelCase")]
+pub struct UpdateModelContextRequest {
+    session_id: String,
+    /// Key identifying the MCP App (typically `"{extension}__{resourceUri}"`)
+    key: String,
+    #[serde(default)]
+    content: Option<Vec<Value>>,
+    #[serde(default)]
+    structured_content: Option<Value>,
+}
+
 #[derive(Serialize, utoipa::ToSchema)]
 pub struct ResumeAgentResponse {
     pub session: Session,
@@ -1100,6 +1112,42 @@ async fn call_tool(
     }))
 }
 
+#[utoipa::path(
+    post,
+    path = "/agent/update_model_context",
+    request_body = UpdateModelContextRequest,
+    responses(
+        (status = 200, description = "Model context updated"),
+        (status = 401, description = "Unauthorized"),
+        (status = 424, description = "Agent not initialized"),
+        (status = 500, description = "Internal server error")
+    ),
+    security(
+        ("api_key" = [])
+    ),
+    tag = "Agent"
+)]
+async fn update_model_context(
+    State(state): State<Arc<AppState>>,
+    Json(payload): Json<UpdateModelContextRequest>,
+) -> Result<(), StatusCode> {
+    let agent = state
+        .get_agent_for_route(payload.session_id.clone())
+        .await?;
+
+    agent
+        .update_mcp_app_context(
+            payload.key,
+            goose::agents::McpAppContext {
+                content: payload.content,
+                structured_content: payload.structured_content,
+            },
+        )
+        .await;
+
+    Ok(())
+}
+
 #[derive(Deserialize, utoipa::IntoParams, utoipa::ToSchema)]
 pub struct ListAppsRequest {
     session_id: Option<String>,
@@ -1306,6 +1354,7 @@ pub fn routes(state: Arc<AppState>) -> Router {
         .route("/agent/tools", get(get_tools))
         .route("/agent/read_resource", post(read_resource))
         .route("/agent/call_tool", post(call_tool))
+        .route("/agent/update_model_context", post(update_model_context))
         .route("/agent/list_apps", get(list_apps))
         .route("/agent/export_app/{name}", get(export_app))
         .route("/agent/import_app", post(import_app))
diff --git a/crates/goose/src/agents/agent.rs b/crates/goose/src/agents/agent.rs
index ee31d401e112..87328ba2774e 100644
--- a/crates/goose/src/agents/agent.rs
+++ b/crates/goose/src/agents/agent.rs
@@ -64,6 +64,14 @@ use tracing::{debug, error, info, instrument, warn};
 const DEFAULT_MAX_TURNS: u32 = 1000;
 const COMPACTION_THINKING_TEXT: &str = "goose is compacting the conversation...";
 
+/// Context provided by an MCP App via `ui/update-model-context`.
+/// Each update overwrites the previous one for the same key.
+#[derive(Clone, Debug)]
+pub struct McpAppContext {
+    pub content: Option<Vec<Value>>,
+    pub structured_content: Option<Value>,
+}
+
 /// Context needed for the reply function
 pub struct ReplyContext {
     pub conversation: Conversation,
@@ -152,6 +160,9 @@ pub struct Agent {
     pub(super) retry_manager: RetryManager,
     pub(super) tool_inspection_manager: ToolInspectionManager,
     container: Mutex<Option<Container>>,
+    /// Context provided by MCP Apps via `ui/update-model-context`, keyed by
+    /// `"{extension_name}__{resource_uri}"`. Only the latest update per key is kept.
+    pub(super) mcp_app_contexts: Mutex<HashMap<String, McpAppContext>>,
 }
 
 #[derive(Clone, Debug)]
@@ -250,6 +261,7 @@ impl Agent {
                 provider.clone(),
             ),
             container: Mutex::new(None),
+            mcp_app_contexts: Mutex::new(HashMap::new()),
         }
     }
 
@@ -481,6 +493,42 @@ impl Agent {
         self.container.lock().await.clone()
     }
 
+    /// Store context from an MCP App's `ui/update-model-context` request.
+    pub async fn update_mcp_app_context(&self, key: String, context: McpAppContext) {
+        self.mcp_app_contexts.lock().await.insert(key, context);
+    }
+
+    /// Collect all stored MCP App contexts for injection into the conversation.
+    pub async fn collect_mcp_app_contexts(&self) -> Option<String> {
+        let contexts = self.mcp_app_contexts.lock().await;
+        if contexts.is_empty() {
+            return None;
+        }
+
+        let mut parts = Vec::new();
+        for (key, ctx) in contexts.iter() {
+            let mut section = format!("<mcp-app-context source=\"{key}\">\n");
+            if let Some(content) = &ctx.content {
+                for block in content {
+                    if let Some(text) = block.get("text").and_then(|v| v.as_str()) {
+                        section.push_str(text);
+                        section.push('\n');
+                    }
+                }
+            }
+            if let Some(structured) = &ctx.structured_content {
+                if let Ok(json_str) = serde_json::to_string_pretty(structured) {
+                    section.push_str(&json_str);
+                    section.push('\n');
+                }
+            }
+            section.push_str("</mcp-app-context>");
+            parts.push(section);
+        }
+
+        Some(parts.join("\n"))
+    }
+
     /// Check if a tool is a frontend tool
     pub async fn is_frontend_tool(&self, name: &str) -> bool {
         self.frontend_tools.lock().await.contains_key(name)
@@ -1184,11 +1232,13 @@ impl Agent {
                     break;
                 }
 
+                let mcp_app_context = self.collect_mcp_app_contexts().await;
                 let conversation_with_moim = super::moim::inject_moim(
                     &session_config.id,
                     conversation.clone(),
                     &self.extension_manager,
                     &working_dir,
+                    mcp_app_context,
                 ).await;
 
                 let mut stream = Self::stream_response_from_provider(
@@ -2308,4 +2358,86 @@ mod tests {
 
         Ok(())
     }
+
+    #[tokio::test]
+    async fn test_mcp_app_context_empty_returns_none() {
+        let agent = Agent::new();
+        assert!(agent.collect_mcp_app_contexts().await.is_none());
+    }
+
+    #[tokio::test]
+    async fn test_mcp_app_context_stores_and_collects() {
+        let agent = Agent::new();
+
+        agent
+            .update_mcp_app_context(
+                "ext__ui://ext/tool".to_string(),
+                McpAppContext {
+                    content: Some(vec![
+                        serde_json::json!({"type": "text", "text": "User selected 3 items"}),
+                    ]),
+                    structured_content: None,
+                },
+            )
+            .await;
+
+        let result = agent.collect_mcp_app_contexts().await;
+        assert!(result.is_some());
+        let text = result.unwrap();
+        assert!(text.contains("User selected 3 items"));
+        assert!(text.contains("ext__ui://ext/tool"));
+    }
+
+    #[tokio::test]
+    async fn test_mcp_app_context_overwrites_previous() {
+        let agent = Agent::new();
+        let key = "ext__ui://ext/tool".to_string();
+
+        agent
+            .update_mcp_app_context(
+                key.clone(),
+                McpAppContext {
+                    content: Some(vec![
+                        serde_json::json!({"type": "text", "text": "old context"}),
+                    ]),
+                    structured_content: None,
+                },
+            )
+            .await;
+
+        agent
+            .update_mcp_app_context(
+                key,
+                McpAppContext {
+                    content: Some(vec![
+                        serde_json::json!({"type": "text", "text": "new context"}),
+                    ]),
+                    structured_content: None,
+                },
+            )
+            .await;
+
+        let text = agent.collect_mcp_app_contexts().await.unwrap();
+        assert!(text.contains("new context"));
+        assert!(!text.contains("old context"));
+    }
+
+    #[tokio::test]
+    async fn test_mcp_app_context_structured_content() {
+        let agent = Agent::new();
+
+        agent
+            .update_mcp_app_context(
+                "ext__ui://ext/tool".to_string(),
+                McpAppContext {
+                    content: None,
+                    structured_content: Some(serde_json::json!({"items": 3, "total": 150})),
+                },
+            )
+            .await;
+
+        let text = agent.collect_mcp_app_contexts().await.unwrap();
+        assert!(text.contains("\"items\": 3"));
+        assert!(text.contains("\"total\": 150"));
+    }
 }
diff --git a/crates/goose/src/agents/mod.rs b/crates/goose/src/agents/mod.rs
index 1b41a743182b..45b6c88db621 100644
--- a/crates/goose/src/agents/mod.rs
+++ b/crates/goose/src/agents/mod.rs
@@ -23,7 +23,9 @@ mod tool_execution;
 pub mod types;
 pub mod validate_extensions;
 
-pub use agent::{Agent, AgentConfig, AgentEvent, ExtensionLoadResult, GoosePlatform};
+pub use agent::{
+    Agent, AgentConfig, AgentEvent, ExtensionLoadResult, GoosePlatform, McpAppContext,
+};
 pub use container::Container;
 pub use execute_commands::COMPACT_TRIGGERS;
 pub use extension::{ExtensionConfig, ExtensionError};
diff --git a/crates/goose/src/agents/moim.rs b/crates/goose/src/agents/moim.rs
index 840017fb1706..fb5e8871779c 100644
--- a/crates/goose/src/agents/moim.rs
+++ b/crates/goose/src/agents/moim.rs
@@ -14,21 +14,30 @@ pub async fn inject_moim(
     conversation: Conversation,
     extension_manager: &ExtensionManager,
     working_dir: &Path,
+    mcp_app_context: Option<String>,
 ) -> Conversation {
     if SKIP.with(|f| f.get()) {
         return conversation;
     }
 
-    if let Some(moim) = extension_manager
+    let moim = extension_manager
         .collect_moim(session_id, working_dir)
-        .await
-    {
+        .await;
+
+    let combined = match (moim, mcp_app_context) {
+        (Some(m), Some(ctx)) => Some(format!("{m}\n{ctx}")),
+        (Some(m), None) => Some(m),
+        (None, Some(ctx)) => Some(ctx),
+        (None, None) => None,
+    };
+
+    if let Some(injected_text) = combined {
         let mut messages = conversation.messages().clone();
         let idx = messages
             .iter()
             .rposition(|m| m.role == Role::Assistant)
             .unwrap_or(0);
-        messages.insert(idx, Message::user().with_text(moim));
+        messages.insert(idx, Message::user().with_text(injected_text));
 
         let (fixed, issues) = fix_conversation(Conversation::new_unvalidated(messages));
 
@@ -65,7 +74,7 @@ mod tests {
             Message::assistant().with_text("Hi"),
             Message::user().with_text("Bye"),
         ]);
-        let result = inject_moim("test-session-id", conv, &em, &working_dir).await;
+        let result = inject_moim("test-session-id", conv, &em, &working_dir, None).await;
         let msgs = result.messages();
 
         assert_eq!(msgs.len(), 3);
@@ -90,7 +99,7 @@ mod tests {
         let working_dir = PathBuf::from("/test/dir");
 
         let conv = Conversation::new_unvalidated(vec![Message::user().with_text("Hello")]);
-        let result = inject_moim("test-session-id", conv, &em, &working_dir).await;
+        let result = inject_moim("test-session-id", conv, &em, &working_dir, None).await;
 
         assert_eq!(result.messages().len(), 1);
 
@@ -125,7 +134,7 @@ mod tests {
                 .with_tool_response("search_2", Ok(rmcp::model::CallToolResult::success(vec![]))),
         ]);
 
-        let result = inject_moim("test-session-id", conv, &em, &working_dir).await;
+        let result = inject_moim("test-session-id", conv, &em, &working_dir, None).await;
         let msgs = result.messages();
 
         assert_eq!(msgs.len(), 6);
@@ -141,4 +150,60 @@ mod tests {
             "MOIM should be in message before latest assistant message"
         );
     }
+
+    #[tokio::test]
+    async fn test_mcp_app_context_injected_alongside_moim() {
+        let temp_dir = tempfile::tempdir().unwrap();
+        let em = ExtensionManager::new_without_provider(temp_dir.path().to_path_buf());
+        let working_dir = PathBuf::from("/test/dir");
+
+        let conv = Conversation::new_unvalidated(vec![
+            Message::user().with_text("Hello"),
+            Message::assistant().with_text("Hi"),
+            Message::user().with_text("Bye"),
+        ]);
+
+        let app_ctx = Some(
+            "<mcp-app-context source=\"ext__uri\">\nUser selected 3 items\n</mcp-app-context>"
+                .to_string(),
+        );
+        let result = inject_moim("test-session-id", conv, &em, &working_dir, app_ctx).await;
+
+        let all_text: String = result
+            .messages()
+            .iter()
+            .flat_map(|m| m.content.iter())
+            .filter_map(|c| c.as_text())
+            .collect::<Vec<_>>()
+            .join("\n");
+
+        assert!(all_text.contains("<mcp-app-context"));
+        assert!(all_text.contains("User selected 3 items"));
+    }
+
+    #[tokio::test]
+    async fn test_mcp_app_context_only() {
+        SKIP.with(|f| f.set(false));
+        let temp_dir = tempfile::tempdir().unwrap();
+        let em = ExtensionManager::new_without_provider(temp_dir.path().to_path_buf());
+        let working_dir = PathBuf::from("/test/dir");
+
+        let conv = Conversation::new_unvalidated(vec![Message::user().with_text("Hello")]);
+
+        let app_ctx = Some(
+            "<mcp-app-context source=\"ext__uri\">\nSome context\n</mcp-app-context>".to_string(),
+        );
+        let result = inject_moim("test-session-id", conv, &em, &working_dir, app_ctx).await;
+
+        let all_text: String = result
+            .messages()
+            .iter()
+            .flat_map(|m| m.content.iter())
+            .filter_map(|c| c.as_text())
+            .collect::<Vec<_>>()
+            .join("\n");
+
+        assert!(all_text.contains("<mcp-app-context"));
+        assert!(all_text.contains("Some context"));
+    }
 }
diff --git a/ui/desktop/openapi.json b/ui/desktop/openapi.json
index 2e3671b272bb..03d5bb6e3eb0 100644
--- a/ui/desktop/openapi.json
+++ b/ui/desktop/openapi.json
@@ -628,6 +628,43 @@
         }
       }
     },
+    "/agent/update_model_context": {
+      "post": {
+        "tags": [
+          "Agent"
+        ],
+        "operationId": "update_model_context",
+        "requestBody": {
+          "content": {
+            "application/json": {
+              "schema": {
+                "$ref": "#/components/schemas/UpdateModelContextRequest"
+              }
+            }
+          },
+          "required": true
+        },
+        "responses": {
+          "200": {
+            "description": "Model context updated"
+          },
+          "401": {
+            "description": "Unauthorized"
+          },
+          "424": {
+            "description": "Agent not initialized"
+          },
+          "500": {
+            "description": "Internal server error"
+          }
+        },
+        "security": [
+          {
+            "api_key": []
+          }
+        ]
+      }
+    },
     "/agent/update_provider": {
       "post": {
         "tags": [
@@ -8699,6 +8736,30 @@
           }
         }
       },
+      "UpdateModelContextRequest": {
+        "type": "object",
+        "required": [
+          "sessionId",
+          "key"
+        ],
+        "properties": {
+          "content": {
+            "type": "array",
+            "items": {},
+            "nullable": true
+          },
+          "key": {
+            "type": "string",
+            "description": "Key identifying the MCP App (typically `\"{extension}__{resourceUri}\"`)"
+          },
+          "sessionId": {
+            "type": "string"
+          },
+          "structuredContent": {
+            "nullable": true
+          }
+        }
+      },
       "UpdateProviderRequest": {
         "type": "object",
         "required": [
diff --git a/ui/desktop/src/api/index.ts b/ui/desktop/src/api/index.ts
index dbe9fb8e9b31..6e892e6a1994 100644
--- a/ui/desktop/src/api/index.ts
+++ b/ui/desktop/src/api/index.ts
@@ -1,4 +1,4 @@
 // This file is auto-generated by @hey-api/openapi-ts
 
-export { addExtension, agentAddExtension, agentRemoveExtension, backupConfig, callTool, cancelDownload, cancelLocalModelDownload, checkProvider, cleanupProviderCache, configureProviderOauth, confirmToolAction, createCustomProvider, createRecipe, createSchedule, decodeRecipe, deleteLocalModel, deleteModel, deleteRecipe, deleteSchedule, deleteSession, detectProvider, diagnostics, downloadHfModel, downloadModel, encodeRecipe, exportApp, exportSession, forkSession, getCanonicalModelInfo, getCustomProvider, getDictationConfig, getDownloadProgress, getExtensions, getLocalModelDownloadProgress, getModelSettings, getPrompt, getPrompts, getProviderCatalog, getProviderCatalogTemplate, getProviderModels, getRepoFiles, getSession, getSessionExtensions, getSessionInsights, getSlashCommands, getTools, getTunnelStatus, importApp, importSession, initConfig, inspectRunningJob, killRunningJob, listApps, listLocalModels, listModels, listRecipes, listSchedules, listSessions, mcpUiProxy, type Options, parseRecipe, pauseSchedule, providers, readAllConfig, readConfig, readResource, recipeToYaml, recoverConfig, removeConfig, removeCustomProvider, removeExtension, reply, resetPrompt, restartAgent, resumeAgent, runNowHandler, savePrompt, saveRecipe, scanRecipe, scheduleRecipe, searchHfModels, searchSessions, sendTelemetryEvent, sessionCancel, sessionEvents, sessionReply, sessionsHandler, setConfigProvider, setRecipeSlashCommand, startAgent, startNanogptSetup, startOpenrouterSetup, startTetrateSetup, startTunnel, status, stopAgent, stopTunnel, systemInfo, transcribeDictation, unpauseSchedule, updateAgentProvider, updateCustomProvider, updateFromSession, updateModelSettings, updateSchedule, updateSession, updateSessionName, updateSessionUserRecipeValues, updateWorkingDir, upsertConfig, upsertPermissions, validateConfig } from './sdk.gen';
-export type { ActionRequired, ActionRequiredData, AddExtensionData, AddExtensionErrors, AddExtensionRequest, AddExtensionResponse, AddExtensionResponses, AgentAddExtensionData, AgentAddExtensionErrors, AgentAddExtensionResponse, AgentAddExtensionResponses, AgentRemoveExtensionData, AgentRemoveExtensionErrors, AgentRemoveExtensionResponse, AgentRemoveExtensionResponses, Annotations, Author, AuthorRequest, BackupConfigData, BackupConfigErrors, BackupConfigResponse, BackupConfigResponses, CallToolData, CallToolErrors, CallToolRequest, CallToolResponse, CallToolResponse2, CallToolResponses, CancelDownloadData, CancelDownloadErrors, CancelDownloadResponses, CancelLocalModelDownloadData, CancelLocalModelDownloadErrors, CancelLocalModelDownloadResponses, CancelRequest, ChatRequest, CheckProviderData, CheckProviderRequest, CleanupProviderCacheData, CleanupProviderCacheErrors, CleanupProviderCacheResponse, CleanupProviderCacheResponses, ClientOptions, CommandType, ConfigKey, ConfigKeyQuery, ConfigResponse, ConfigureProviderOauthData, ConfigureProviderOauthErrors, ConfigureProviderOauthResponses, ConfirmToolActionData, ConfirmToolActionErrors, ConfirmToolActionRequest, ConfirmToolActionResponses, Content, ContentBlock, Conversation, CreateCustomProviderData, CreateCustomProviderErrors, CreateCustomProviderResponse, CreateCustomProviderResponse2, CreateCustomProviderResponses, CreateRecipeData, CreateRecipeErrors, CreateRecipeRequest, CreateRecipeResponse, CreateRecipeResponse2, CreateRecipeResponses, CreateScheduleData, CreateScheduleErrors, CreateScheduleRequest, CreateScheduleResponse, CreateScheduleResponses, CspMetadata, DeclarativeProviderConfig, DecodeRecipeData, DecodeRecipeErrors, DecodeRecipeRequest, DecodeRecipeResponse, DecodeRecipeResponse2, DecodeRecipeResponses, DeleteLocalModelData, DeleteLocalModelErrors, DeleteLocalModelResponses, DeleteModelData, DeleteModelErrors, DeleteModelResponses, DeleteRecipeData, DeleteRecipeErrors, DeleteRecipeRequest, DeleteRecipeResponse, DeleteRecipeResponses, DeleteScheduleData, DeleteScheduleErrors, DeleteScheduleResponse, DeleteScheduleResponses, DeleteSessionData, DeleteSessionErrors, DeleteSessionResponses, DetectProviderData, DetectProviderErrors, DetectProviderRequest, DetectProviderResponse, DetectProviderResponse2, DetectProviderResponses, DiagnosticsData, DiagnosticsErrors, DiagnosticsResponse, DiagnosticsResponses, DictationProvider, DictationProviderStatus, DownloadHfModelData, DownloadHfModelErrors, DownloadHfModelResponse, DownloadHfModelResponses, DownloadModelData, DownloadModelErrors, DownloadModelRequest, DownloadModelResponses, DownloadProgress, DownloadStatus, EmbeddedResource, EncodeRecipeData, EncodeRecipeErrors, EncodeRecipeRequest, EncodeRecipeResponse, EncodeRecipeResponse2, EncodeRecipeResponses, Envs, EnvVarConfig, ErrorResponse, ExportAppData, ExportAppError, ExportAppErrors, ExportAppResponse, ExportAppResponses, ExportSessionData, ExportSessionErrors, ExportSessionResponse, ExportSessionResponses, ExtensionConfig, ExtensionData, ExtensionEntry, ExtensionLoadResult, ExtensionQuery, ExtensionResponse, ForkRequest, ForkResponse, ForkSessionData, ForkSessionErrors, ForkSessionResponse, ForkSessionResponses, FrontendToolRequest, GetCanonicalModelInfoData, GetCanonicalModelInfoResponse, GetCanonicalModelInfoResponses, GetCustomProviderData, GetCustomProviderErrors, GetCustomProviderResponse, GetCustomProviderResponses, GetDictationConfigData, GetDictationConfigResponse, GetDictationConfigResponses, GetDownloadProgressData, GetDownloadProgressErrors, GetDownloadProgressResponse, GetDownloadProgressResponses, GetExtensionsData, GetExtensionsErrors, GetExtensionsResponse, GetExtensionsResponses, GetLocalModelDownloadProgressData, GetLocalModelDownloadProgressErrors, GetLocalModelDownloadProgressResponse, GetLocalModelDownloadProgressResponses, GetModelSettingsData, GetModelSettingsErrors, GetModelSettingsResponse, GetModelSettingsResponses, GetPromptData, GetPromptErrors, GetPromptResponse, GetPromptResponses, GetPromptsData, GetPromptsResponse, GetPromptsResponses, GetProviderCatalogData, GetProviderCatalogErrors, GetProviderCatalogResponse, GetProviderCatalogResponses, GetProviderCatalogTemplateData, GetProviderCatalogTemplateErrors, GetProviderCatalogTemplateResponse, GetProviderCatalogTemplateResponses, GetProviderModelsData, GetProviderModelsErrors, GetProviderModelsResponse, GetProviderModelsResponses, GetRepoFilesData, GetRepoFilesResponse, GetRepoFilesResponses, GetSessionData, GetSessionErrors, GetSessionExtensionsData, GetSessionExtensionsErrors, GetSessionExtensionsResponse, GetSessionExtensionsResponses, GetSessionInsightsData, GetSessionInsightsErrors, GetSessionInsightsResponse, GetSessionInsightsResponses, GetSessionResponse, GetSessionResponses, GetSlashCommandsData, GetSlashCommandsResponse, GetSlashCommandsResponses, GetToolsData, GetToolsErrors, GetToolsQuery, GetToolsResponse, GetToolsResponses, GetTunnelStatusData, GetTunnelStatusResponse, GetTunnelStatusResponses, GooseApp, GooseMode, HfGgufFile, HfModelInfo, HfQuantVariant, Icon, ImageContent, ImportAppData, ImportAppError, ImportAppErrors, ImportAppRequest, ImportAppResponse, ImportAppResponse2, ImportAppResponses, ImportSessionData, ImportSessionErrors, ImportSessionRequest, ImportSessionResponse, ImportSessionResponses, InitConfigData, InitConfigErrors, InitConfigResponse, InitConfigResponses, InspectJobResponse, InspectRunningJobData, InspectRunningJobErrors, InspectRunningJobResponse, InspectRunningJobResponses, JsonObject, KillJobResponse, KillRunningJobData, KillRunningJobResponses, ListAppsData, ListAppsError, ListAppsErrors, ListAppsRequest, ListAppsResponse, ListAppsResponse2, ListAppsResponses, ListLocalModelsData, ListLocalModelsResponse, ListLocalModelsResponses, ListModelsData, ListModelsResponse, ListModelsResponses, ListRecipeResponse, ListRecipesData, ListRecipesErrors, ListRecipesResponse, ListRecipesResponses, ListSchedulesData, ListSchedulesErrors, ListSchedulesResponse, ListSchedulesResponse2, ListSchedulesResponses, ListSessionsData, ListSessionsErrors, ListSessionsResponse, ListSessionsResponses, LoadedProvider, LocalModelResponse, McpAppResource, McpUiProxyData, McpUiProxyErrors, McpUiProxyResponses, Message, MessageContent, MessageEvent, MessageMetadata, ModelCapabilities, ModelConfig, ModelDownloadStatus, ModelInfo, ModelInfoData, ModelInfoQuery, ModelInfoResponse, ModelSettings, ModelTemplate, ParseRecipeData, ParseRecipeError, ParseRecipeErrors, ParseRecipeRequest, ParseRecipeResponse, ParseRecipeResponse2, ParseRecipeResponses, PauseScheduleData, PauseScheduleErrors, PauseScheduleResponse, PauseScheduleResponses, Permission, PermissionLevel, PermissionsMetadata, PrincipalType, PromptContentResponse, PromptsListResponse, ProviderCatalogEntry, ProviderDetails, ProviderEngine, ProviderMetadata, ProvidersData, ProvidersResponse, ProvidersResponse2, ProvidersResponses, ProviderTemplate, ProviderType, RawAudioContent, RawEmbeddedResource, RawImageContent, RawResource, RawTextContent, ReadAllConfigData, ReadAllConfigResponse, ReadAllConfigResponses, ReadConfigData, ReadConfigErrors, ReadConfigResponses, ReadResourceData, ReadResourceErrors, ReadResourceRequest, ReadResourceResponse, ReadResourceResponse2, ReadResourceResponses, Recipe, RecipeManifest, RecipeParameter, RecipeParameterInputType, RecipeParameterRequirement, RecipeToYamlData, RecipeToYamlError, RecipeToYamlErrors, RecipeToYamlRequest, RecipeToYamlResponse, RecipeToYamlResponse2, RecipeToYamlResponses, RecoverConfigData, RecoverConfigErrors, RecoverConfigResponse, RecoverConfigResponses, RedactedThinkingContent, RemoveConfigData, RemoveConfigErrors, RemoveConfigResponse, RemoveConfigResponses, RemoveCustomProviderData, RemoveCustomProviderErrors, RemoveCustomProviderResponse, RemoveCustomProviderResponses, RemoveExtensionData, RemoveExtensionErrors, RemoveExtensionRequest, RemoveExtensionResponse, RemoveExtensionResponses, ReplyData, ReplyErrors, ReplyResponse, ReplyResponses, RepoVariantsResponse, ResetPromptData, ResetPromptErrors, ResetPromptResponse, ResetPromptResponses, ResourceContents, ResourceMetadata, Response, RestartAgentData, RestartAgentErrors, RestartAgentRequest, RestartAgentResponse, RestartAgentResponse2, RestartAgentResponses, ResumeAgentData, ResumeAgentErrors, ResumeAgentRequest, ResumeAgentResponse, ResumeAgentResponse2, ResumeAgentResponses, RetryConfig, Role, RunNowHandlerData, RunNowHandlerErrors, RunNowHandlerResponse, RunNowHandlerResponses, RunNowResponse, SamplingConfig, SavePromptData, SavePromptErrors, SavePromptRequest, SavePromptResponse, SavePromptResponses, SaveRecipeData, SaveRecipeError, SaveRecipeErrors, SaveRecipeRequest, SaveRecipeResponse, SaveRecipeResponse2, SaveRecipeResponses, ScanRecipeData, ScanRecipeRequest, ScanRecipeResponse, ScanRecipeResponse2, ScanRecipeResponses, ScheduledJob, ScheduleRecipeData, ScheduleRecipeErrors, ScheduleRecipeRequest, ScheduleRecipeResponses, SearchHfModelsData, SearchHfModelsErrors, SearchHfModelsResponse, SearchHfModelsResponses, SearchSessionsData, SearchSessionsErrors, SearchSessionsResponse, SearchSessionsResponses, SendTelemetryEventData, SendTelemetryEventResponses, Session, SessionCancelData, SessionCancelResponses, SessionDisplayInfo, SessionEventsData, SessionEventsErrors, SessionEventsResponse, SessionEventsResponses, SessionExtensionsResponse, SessionInsights, SessionListResponse, SessionReplyData, SessionReplyErrors, SessionReplyRequest, SessionReplyResponse, SessionReplyResponse2, SessionReplyResponses, SessionsHandlerData, SessionsHandlerErrors, SessionsHandlerResponse, SessionsHandlerResponses, SessionsQuery, SessionType, SetConfigProviderData, SetProviderRequest, SetRecipeSlashCommandData, SetRecipeSlashCommandErrors, SetRecipeSlashCommandResponses, SetSlashCommandRequest, Settings, SetupResponse, SlashCommand, SlashCommandsResponse, StartAgentData, StartAgentError, StartAgentErrors, StartAgentRequest, StartAgentResponse, StartAgentResponses, StartNanogptSetupData, StartNanogptSetupResponse, StartNanogptSetupResponses, StartOpenrouterSetupData, StartOpenrouterSetupResponse, StartOpenrouterSetupResponses, StartTetrateSetupData, StartTetrateSetupResponse, StartTetrateSetupResponses, StartTunnelData, StartTunnelError, StartTunnelErrors, StartTunnelResponse, StartTunnelResponses, StatusData, StatusResponse, StatusResponses, StopAgentData, StopAgentErrors, StopAgentRequest, StopAgentResponse, StopAgentResponses, StopTunnelData, StopTunnelError, StopTunnelErrors, StopTunnelResponses, SubRecipe, SuccessCheck, SystemInfo, SystemInfoData, SystemInfoResponse, SystemInfoResponses, SystemNotificationContent, SystemNotificationType, TaskSupport, TelemetryEventRequest, Template, TextContent, ThinkingContent, TokenState, Tool, ToolAnnotations, ToolConfirmationRequest, ToolExecution, ToolInfo, ToolPermission, ToolRequest, ToolResponse, TranscribeDictationData, TranscribeDictationErrors, TranscribeDictationResponse, TranscribeDictationResponses, TranscribeRequest, TranscribeResponse, TunnelInfo, TunnelState, UiMetadata, UnpauseScheduleData, UnpauseScheduleErrors, UnpauseScheduleResponse, UnpauseScheduleResponses, UpdateAgentProviderData, UpdateAgentProviderErrors, UpdateAgentProviderResponses, UpdateCustomProviderData, UpdateCustomProviderErrors, UpdateCustomProviderRequest, UpdateCustomProviderResponse, UpdateCustomProviderResponses, UpdateFromSessionData, UpdateFromSessionErrors, UpdateFromSessionRequest, UpdateFromSessionResponses, UpdateModelSettingsData, UpdateModelSettingsErrors, UpdateModelSettingsResponse, UpdateModelSettingsResponses, UpdateProviderRequest, UpdateScheduleData, UpdateScheduleErrors, UpdateScheduleRequest, UpdateScheduleResponse, UpdateScheduleResponses, UpdateSessionData, UpdateSessionErrors, UpdateSessionNameData, UpdateSessionNameErrors, UpdateSessionNameRequest, UpdateSessionNameResponses, UpdateSessionRequest, UpdateSessionResponses, UpdateSessionUserRecipeValuesData, UpdateSessionUserRecipeValuesError, UpdateSessionUserRecipeValuesErrors, UpdateSessionUserRecipeValuesRequest, UpdateSessionUserRecipeValuesResponse, UpdateSessionUserRecipeValuesResponse2, UpdateSessionUserRecipeValuesResponses, UpdateWorkingDirData, UpdateWorkingDirErrors, UpdateWorkingDirRequest, UpdateWorkingDirResponses, UpsertConfigData, UpsertConfigErrors, UpsertConfigQuery, UpsertConfigResponse, UpsertConfigResponses, UpsertPermissionsData, UpsertPermissionsErrors, UpsertPermissionsQuery, UpsertPermissionsResponse, UpsertPermissionsResponses, ValidateConfigData, ValidateConfigErrors, ValidateConfigResponse, ValidateConfigResponses, WhisperModelResponse, WindowProps } from './types.gen';
+export { addExtension, agentAddExtension, agentRemoveExtension, backupConfig, callTool, cancelDownload, cancelLocalModelDownload, checkProvider, cleanupProviderCache, configureProviderOauth, confirmToolAction, createCustomProvider, createRecipe, createSchedule, decodeRecipe, deleteLocalModel, deleteModel, deleteRecipe, deleteSchedule, deleteSession, detectProvider, diagnostics, downloadHfModel, downloadModel, encodeRecipe, exportApp, exportSession, forkSession, getCanonicalModelInfo, getCustomProvider, getDictationConfig, getDownloadProgress, getExtensions, getLocalModelDownloadProgress, getModelSettings, getPrompt, getPrompts, getProviderCatalog, getProviderCatalogTemplate, getProviderModels, getRepoFiles, getSession, getSessionExtensions, getSessionInsights, getSlashCommands, getTools, getTunnelStatus, importApp, importSession, initConfig, inspectRunningJob, killRunningJob, listApps, listLocalModels, listModels, listRecipes, listSchedules, listSessions, mcpUiProxy, type Options, parseRecipe, pauseSchedule, providers, readAllConfig, readConfig, readResource, recipeToYaml, recoverConfig, removeConfig, removeCustomProvider, removeExtension, reply, resetPrompt, restartAgent, resumeAgent, runNowHandler, savePrompt, saveRecipe, scanRecipe, scheduleRecipe, searchHfModels, searchSessions, sendTelemetryEvent, sessionCancel, sessionEvents, sessionReply, sessionsHandler, setConfigProvider, setRecipeSlashCommand, startAgent, startNanogptSetup, startOpenrouterSetup, startTetrateSetup, startTunnel, status, stopAgent, stopTunnel, systemInfo, transcribeDictation, unpauseSchedule, updateAgentProvider, updateCustomProvider, updateFromSession, updateModelContext, updateModelSettings, updateSchedule, updateSession, updateSessionName, updateSessionUserRecipeValues, updateWorkingDir, upsertConfig, upsertPermissions, validateConfig } from './sdk.gen';
+export type { ActionRequired, ActionRequiredData, AddExtensionData, AddExtensionErrors, AddExtensionRequest, AddExtensionResponse, AddExtensionResponses, AgentAddExtensionData, AgentAddExtensionErrors, AgentAddExtensionResponse, AgentAddExtensionResponses, AgentRemoveExtensionData, AgentRemoveExtensionErrors, AgentRemoveExtensionResponse, AgentRemoveExtensionResponses, Annotations, Author, AuthorRequest, BackupConfigData, BackupConfigErrors, BackupConfigResponse, BackupConfigResponses, CallToolData, CallToolErrors, CallToolRequest, CallToolResponse, CallToolResponse2, CallToolResponses, CancelDownloadData, CancelDownloadErrors, CancelDownloadResponses, CancelLocalModelDownloadData, CancelLocalModelDownloadErrors, CancelLocalModelDownloadResponses, CancelRequest, ChatRequest, CheckProviderData, CheckProviderRequest, CleanupProviderCacheData, CleanupProviderCacheErrors, CleanupProviderCacheResponse, CleanupProviderCacheResponses, ClientOptions, CommandType, ConfigKey, ConfigKeyQuery, ConfigResponse, ConfigureProviderOauthData, ConfigureProviderOauthErrors, ConfigureProviderOauthResponses, ConfirmToolActionData, ConfirmToolActionErrors, ConfirmToolActionRequest, ConfirmToolActionResponses, Content, ContentBlock, Conversation, CreateCustomProviderData, CreateCustomProviderErrors, CreateCustomProviderResponse, CreateCustomProviderResponse2, CreateCustomProviderResponses, CreateRecipeData, CreateRecipeErrors, CreateRecipeRequest, CreateRecipeResponse, CreateRecipeResponse2, CreateRecipeResponses, CreateScheduleData, CreateScheduleErrors, CreateScheduleRequest, CreateScheduleResponse, CreateScheduleResponses, CspMetadata, DeclarativeProviderConfig, DecodeRecipeData, DecodeRecipeErrors, DecodeRecipeRequest, DecodeRecipeResponse, DecodeRecipeResponse2, DecodeRecipeResponses, DeleteLocalModelData, DeleteLocalModelErrors, DeleteLocalModelResponses, DeleteModelData, DeleteModelErrors, DeleteModelResponses, DeleteRecipeData, DeleteRecipeErrors, DeleteRecipeRequest, DeleteRecipeResponse, DeleteRecipeResponses, DeleteScheduleData, DeleteScheduleErrors, DeleteScheduleResponse, DeleteScheduleResponses, DeleteSessionData, DeleteSessionErrors, DeleteSessionResponses, DetectProviderData, DetectProviderErrors, DetectProviderRequest, DetectProviderResponse, DetectProviderResponse2, DetectProviderResponses, DiagnosticsData, DiagnosticsErrors, DiagnosticsResponse, DiagnosticsResponses, DictationProvider, DictationProviderStatus, DownloadHfModelData, DownloadHfModelErrors, DownloadHfModelResponse, DownloadHfModelResponses, DownloadModelData, DownloadModelErrors, DownloadModelRequest, DownloadModelResponses, DownloadProgress, DownloadStatus, EmbeddedResource, EncodeRecipeData, EncodeRecipeErrors, EncodeRecipeRequest, EncodeRecipeResponse, EncodeRecipeResponse2, EncodeRecipeResponses, Envs, EnvVarConfig, ErrorResponse, ExportAppData, ExportAppError, ExportAppErrors, ExportAppResponse, ExportAppResponses, ExportSessionData, ExportSessionErrors, ExportSessionResponse, ExportSessionResponses, ExtensionConfig, ExtensionData, ExtensionEntry, ExtensionLoadResult, ExtensionQuery, ExtensionResponse, ForkRequest, ForkResponse, ForkSessionData, ForkSessionErrors, ForkSessionResponse, ForkSessionResponses, FrontendToolRequest, GetCanonicalModelInfoData, GetCanonicalModelInfoResponse, GetCanonicalModelInfoResponses, GetCustomProviderData, GetCustomProviderErrors, GetCustomProviderResponse, GetCustomProviderResponses, GetDictationConfigData, GetDictationConfigResponse, GetDictationConfigResponses, GetDownloadProgressData, GetDownloadProgressErrors, GetDownloadProgressResponse, GetDownloadProgressResponses, GetExtensionsData, GetExtensionsErrors, GetExtensionsResponse, GetExtensionsResponses, GetLocalModelDownloadProgressData, GetLocalModelDownloadProgressErrors, GetLocalModelDownloadProgressResponse, GetLocalModelDownloadProgressResponses, GetModelSettingsData, GetModelSettingsErrors, GetModelSettingsResponse, GetModelSettingsResponses, GetPromptData, GetPromptErrors, GetPromptResponse, GetPromptResponses, GetPromptsData, GetPromptsResponse, GetPromptsResponses, GetProviderCatalogData, GetProviderCatalogErrors, GetProviderCatalogResponse, GetProviderCatalogResponses, GetProviderCatalogTemplateData, GetProviderCatalogTemplateErrors, GetProviderCatalogTemplateResponse, GetProviderCatalogTemplateResponses, GetProviderModelsData, GetProviderModelsErrors, GetProviderModelsResponse, GetProviderModelsResponses, GetRepoFilesData, GetRepoFilesResponse, GetRepoFilesResponses, GetSessionData, GetSessionErrors, GetSessionExtensionsData, GetSessionExtensionsErrors, GetSessionExtensionsResponse, GetSessionExtensionsResponses, GetSessionInsightsData, GetSessionInsightsErrors, GetSessionInsightsResponse, GetSessionInsightsResponses, GetSessionResponse, GetSessionResponses, GetSlashCommandsData, GetSlashCommandsResponse, GetSlashCommandsResponses, GetToolsData, GetToolsErrors, GetToolsQuery, GetToolsResponse, GetToolsResponses, GetTunnelStatusData, GetTunnelStatusResponse, GetTunnelStatusResponses, GooseApp, GooseMode, HfGgufFile, HfModelInfo, HfQuantVariant, Icon, ImageContent, ImportAppData, ImportAppError, ImportAppErrors, ImportAppRequest, ImportAppResponse, ImportAppResponse2, ImportAppResponses, ImportSessionData, ImportSessionErrors, ImportSessionRequest, ImportSessionResponse, ImportSessionResponses, InitConfigData, InitConfigErrors, InitConfigResponse, InitConfigResponses, InspectJobResponse, InspectRunningJobData, InspectRunningJobErrors, InspectRunningJobResponse, InspectRunningJobResponses, JsonObject, KillJobResponse, KillRunningJobData, KillRunningJobResponses, ListAppsData, ListAppsError, ListAppsErrors, ListAppsRequest, ListAppsResponse, ListAppsResponse2, ListAppsResponses, ListLocalModelsData, ListLocalModelsResponse, ListLocalModelsResponses, ListModelsData, ListModelsResponse, ListModelsResponses, ListRecipeResponse, ListRecipesData, ListRecipesErrors, ListRecipesResponse, ListRecipesResponses, ListSchedulesData, ListSchedulesErrors, ListSchedulesResponse, ListSchedulesResponse2, ListSchedulesResponses, ListSessionsData, ListSessionsErrors, ListSessionsResponse, ListSessionsResponses, LoadedProvider, LocalModelResponse, McpAppResource, McpUiProxyData, McpUiProxyErrors, McpUiProxyResponses, Message, MessageContent, MessageEvent, MessageMetadata, ModelCapabilities, ModelConfig, ModelDownloadStatus, ModelInfo, ModelInfoData, ModelInfoQuery, ModelInfoResponse, ModelSettings, ModelTemplate, ParseRecipeData, ParseRecipeError, ParseRecipeErrors, ParseRecipeRequest, ParseRecipeResponse, ParseRecipeResponse2, ParseRecipeResponses, PauseScheduleData, PauseScheduleErrors, PauseScheduleResponse, PauseScheduleResponses, Permission, PermissionLevel, PermissionsMetadata, PrincipalType, PromptContentResponse, PromptsListResponse, ProviderCatalogEntry, ProviderDetails, ProviderEngine, ProviderMetadata, ProvidersData, ProvidersResponse, ProvidersResponse2, ProvidersResponses, ProviderTemplate, ProviderType, RawAudioContent, RawEmbeddedResource, RawImageContent, RawResource, RawTextContent, ReadAllConfigData, ReadAllConfigResponse, ReadAllConfigResponses, ReadConfigData, ReadConfigErrors, ReadConfigResponses, ReadResourceData, ReadResourceErrors, ReadResourceRequest, ReadResourceResponse, ReadResourceResponse2, ReadResourceResponses, Recipe, RecipeManifest, RecipeParameter, RecipeParameterInputType, RecipeParameterRequirement, RecipeToYamlData, RecipeToYamlError, RecipeToYamlErrors, RecipeToYamlRequest, RecipeToYamlResponse, RecipeToYamlResponse2, RecipeToYamlResponses, RecoverConfigData, RecoverConfigErrors, RecoverConfigResponse, RecoverConfigResponses, RedactedThinkingContent, RemoveConfigData, RemoveConfigErrors, RemoveConfigResponse, RemoveConfigResponses, RemoveCustomProviderData, RemoveCustomProviderErrors, RemoveCustomProviderResponse, RemoveCustomProviderResponses, RemoveExtensionData, RemoveExtensionErrors, RemoveExtensionRequest, RemoveExtensionResponse, RemoveExtensionResponses, ReplyData, ReplyErrors, ReplyResponse, ReplyResponses, RepoVariantsResponse, ResetPromptData, ResetPromptErrors, ResetPromptResponse, ResetPromptResponses, ResourceContents, ResourceMetadata, Response, RestartAgentData, RestartAgentErrors, RestartAgentRequest, RestartAgentResponse, RestartAgentResponse2, RestartAgentResponses, ResumeAgentData, ResumeAgentErrors, ResumeAgentRequest, ResumeAgentResponse, ResumeAgentResponse2, ResumeAgentResponses, RetryConfig, Role, RunNowHandlerData, RunNowHandlerErrors, RunNowHandlerResponse, RunNowHandlerResponses, RunNowResponse, SamplingConfig, SavePromptData, SavePromptErrors, SavePromptRequest, SavePromptResponse, SavePromptResponses, SaveRecipeData, SaveRecipeError, SaveRecipeErrors, SaveRecipeRequest, SaveRecipeResponse, SaveRecipeResponse2, SaveRecipeResponses, ScanRecipeData, ScanRecipeRequest, ScanRecipeResponse, ScanRecipeResponse2, ScanRecipeResponses, ScheduledJob, ScheduleRecipeData, ScheduleRecipeErrors, ScheduleRecipeRequest, ScheduleRecipeResponses, SearchHfModelsData, SearchHfModelsErrors, SearchHfModelsResponse, SearchHfModelsResponses, SearchSessionsData, SearchSessionsErrors, SearchSessionsResponse, SearchSessionsResponses, SendTelemetryEventData, SendTelemetryEventResponses, Session, SessionCancelData, SessionCancelResponses, SessionDisplayInfo, SessionEventsData, SessionEventsErrors, SessionEventsResponse, SessionEventsResponses, SessionExtensionsResponse, SessionInsights, SessionListResponse, SessionReplyData, SessionReplyErrors, SessionReplyRequest, SessionReplyResponse, SessionReplyResponse2, SessionReplyResponses, SessionsHandlerData, SessionsHandlerErrors, SessionsHandlerResponse, SessionsHandlerResponses, SessionsQuery, SessionType, SetConfigProviderData, SetProviderRequest, SetRecipeSlashCommandData, SetRecipeSlashCommandErrors, SetRecipeSlashCommandResponses, SetSlashCommandRequest, Settings, SetupResponse, SlashCommand, SlashCommandsResponse, StartAgentData, StartAgentError, StartAgentErrors, StartAgentRequest, StartAgentResponse, StartAgentResponses, StartNanogptSetupData, StartNanogptSetupResponse, StartNanogptSetupResponses, StartOpenrouterSetupData, StartOpenrouterSetupResponse, StartOpenrouterSetupResponses, StartTetrateSetupData, StartTetrateSetupResponse, StartTetrateSetupResponses, StartTunnelData, StartTunnelError, StartTunnelErrors, StartTunnelResponse, StartTunnelResponses, StatusData, StatusResponse, StatusResponses, StopAgentData, StopAgentErrors, StopAgentRequest, StopAgentResponse, StopAgentResponses, StopTunnelData, StopTunnelError, StopTunnelErrors, StopTunnelResponses, SubRecipe, SuccessCheck, SystemInfo, SystemInfoData, SystemInfoResponse, SystemInfoResponses, SystemNotificationContent, SystemNotificationType, TaskSupport, TelemetryEventRequest, Template, TextContent, ThinkingContent, TokenState, Tool, ToolAnnotations, ToolConfirmationRequest, ToolExecution, ToolInfo, ToolPermission, ToolRequest, ToolResponse, TranscribeDictationData, TranscribeDictationErrors, TranscribeDictationResponse, TranscribeDictationResponses, TranscribeRequest, TranscribeResponse, TunnelInfo, TunnelState, UiMetadata, UnpauseScheduleData, UnpauseScheduleErrors, UnpauseScheduleResponse, UnpauseScheduleResponses, UpdateAgentProviderData, UpdateAgentProviderErrors, UpdateAgentProviderResponses, UpdateCustomProviderData, UpdateCustomProviderErrors, UpdateCustomProviderRequest, UpdateCustomProviderResponse, UpdateCustomProviderResponses, UpdateFromSessionData, UpdateFromSessionErrors, UpdateFromSessionRequest, UpdateFromSessionResponses, UpdateModelContextData, UpdateModelContextErrors, UpdateModelContextRequest, UpdateModelContextResponses, UpdateModelSettingsData, UpdateModelSettingsErrors, UpdateModelSettingsResponse, UpdateModelSettingsResponses, UpdateProviderRequest, UpdateScheduleData, UpdateScheduleErrors, UpdateScheduleRequest, UpdateScheduleResponse, UpdateScheduleResponses, UpdateSessionData, UpdateSessionErrors, UpdateSessionNameData, UpdateSessionNameErrors, UpdateSessionNameRequest, UpdateSessionNameResponses, UpdateSessionRequest, UpdateSessionResponses, UpdateSessionUserRecipeValuesData, UpdateSessionUserRecipeValuesError, UpdateSessionUserRecipeValuesErrors, UpdateSessionUserRecipeValuesRequest, UpdateSessionUserRecipeValuesResponse, UpdateSessionUserRecipeValuesResponse2, UpdateSessionUserRecipeValuesResponses, UpdateWorkingDirData, UpdateWorkingDirErrors, UpdateWorkingDirRequest, UpdateWorkingDirResponses, UpsertConfigData, UpsertConfigErrors, UpsertConfigQuery, UpsertConfigResponse, UpsertConfigResponses, UpsertPermissionsData, UpsertPermissionsErrors, UpsertPermissionsQuery, UpsertPermissionsResponse, UpsertPermissionsResponses, ValidateConfigData, ValidateConfigErrors, ValidateConfigResponse, ValidateConfigResponses, WhisperModelResponse, WindowProps } from './types.gen';
diff --git a/ui/desktop/src/api/sdk.gen.ts b/ui/desktop/src/api/sdk.gen.ts
index 3d12b5b57429..74999bb1091a 100644
--- a/ui/desktop/src/api/sdk.gen.ts
+++ b/ui/desktop/src/api/sdk.gen.ts
@@ -2,7 +2,7 @@
 
 import type { Client, Options as Options2, TDataShape } from './client';
 import { client } from './client.gen';
-import type { AddExtensionData, AddExtensionErrors, AddExtensionResponses, AgentAddExtensionData, AgentAddExtensionErrors, AgentAddExtensionResponses, AgentRemoveExtensionData, AgentRemoveExtensionErrors, AgentRemoveExtensionResponses, BackupConfigData, BackupConfigErrors, BackupConfigResponses, CallToolData, CallToolErrors, CallToolResponses, CancelDownloadData, CancelDownloadErrors, CancelDownloadResponses, CancelLocalModelDownloadData, CancelLocalModelDownloadErrors, CancelLocalModelDownloadResponses, CheckProviderData, CleanupProviderCacheData, CleanupProviderCacheErrors, CleanupProviderCacheResponses, ConfigureProviderOauthData, ConfigureProviderOauthErrors, ConfigureProviderOauthResponses, ConfirmToolActionData, ConfirmToolActionErrors, ConfirmToolActionResponses, CreateCustomProviderData, CreateCustomProviderErrors, CreateCustomProviderResponses, CreateRecipeData, CreateRecipeErrors, CreateRecipeResponses, CreateScheduleData, CreateScheduleErrors, CreateScheduleResponses, DecodeRecipeData, DecodeRecipeErrors, DecodeRecipeResponses, DeleteLocalModelData, DeleteLocalModelErrors, DeleteLocalModelResponses, DeleteModelData, DeleteModelErrors, DeleteModelResponses, DeleteRecipeData, DeleteRecipeErrors, DeleteRecipeResponses, DeleteScheduleData, DeleteScheduleErrors, DeleteScheduleResponses, DeleteSessionData, DeleteSessionErrors, DeleteSessionResponses, DetectProviderData, DetectProviderErrors, DetectProviderResponses, DiagnosticsData, DiagnosticsErrors, DiagnosticsResponses, DownloadHfModelData, DownloadHfModelErrors, DownloadHfModelResponses, DownloadModelData, DownloadModelErrors, DownloadModelResponses, EncodeRecipeData, EncodeRecipeErrors, EncodeRecipeResponses, ExportAppData, ExportAppErrors, ExportAppResponses, ExportSessionData, ExportSessionErrors, ExportSessionResponses, ForkSessionData, ForkSessionErrors, ForkSessionResponses, GetCanonicalModelInfoData, GetCanonicalModelInfoResponses, GetCustomProviderData, GetCustomProviderErrors, GetCustomProviderResponses, GetDictationConfigData, GetDictationConfigResponses, GetDownloadProgressData, GetDownloadProgressErrors, GetDownloadProgressResponses, GetExtensionsData, GetExtensionsErrors, GetExtensionsResponses, GetLocalModelDownloadProgressData, GetLocalModelDownloadProgressErrors, GetLocalModelDownloadProgressResponses, GetModelSettingsData, GetModelSettingsErrors, GetModelSettingsResponses, GetPromptData, GetPromptErrors, GetPromptResponses, GetPromptsData, GetPromptsResponses, GetProviderCatalogData, GetProviderCatalogErrors, GetProviderCatalogResponses, GetProviderCatalogTemplateData, GetProviderCatalogTemplateErrors, GetProviderCatalogTemplateResponses, GetProviderModelsData, GetProviderModelsErrors, GetProviderModelsResponses, GetRepoFilesData, GetRepoFilesResponses, GetSessionData, GetSessionErrors, GetSessionExtensionsData, GetSessionExtensionsErrors, GetSessionExtensionsResponses, GetSessionInsightsData, GetSessionInsightsErrors, GetSessionInsightsResponses, GetSessionResponses, GetSlashCommandsData, GetSlashCommandsResponses, GetToolsData, GetToolsErrors, GetToolsResponses, GetTunnelStatusData, GetTunnelStatusResponses, ImportAppData, ImportAppErrors, ImportAppResponses, ImportSessionData, ImportSessionErrors, ImportSessionResponses, InitConfigData, InitConfigErrors, InitConfigResponses, InspectRunningJobData, InspectRunningJobErrors, InspectRunningJobResponses, KillRunningJobData, KillRunningJobResponses, ListAppsData, ListAppsErrors, ListAppsResponses, ListLocalModelsData, ListLocalModelsResponses, ListModelsData, ListModelsResponses, ListRecipesData, ListRecipesErrors, ListRecipesResponses, ListSchedulesData, ListSchedulesErrors, ListSchedulesResponses, ListSessionsData, ListSessionsErrors, ListSessionsResponses, McpUiProxyData, McpUiProxyErrors, McpUiProxyResponses, ParseRecipeData, ParseRecipeErrors, ParseRecipeResponses, PauseScheduleData, PauseScheduleErrors, PauseScheduleResponses, ProvidersData, ProvidersResponses, ReadAllConfigData, ReadAllConfigResponses, ReadConfigData, ReadConfigErrors, ReadConfigResponses, ReadResourceData, ReadResourceErrors, ReadResourceResponses, RecipeToYamlData, RecipeToYamlErrors, RecipeToYamlResponses, RecoverConfigData, RecoverConfigErrors, RecoverConfigResponses, RemoveConfigData, RemoveConfigErrors, RemoveConfigResponses, RemoveCustomProviderData, RemoveCustomProviderErrors, RemoveCustomProviderResponses, RemoveExtensionData, RemoveExtensionErrors, RemoveExtensionResponses, ReplyData, ReplyErrors, ReplyResponses, ResetPromptData, ResetPromptErrors, ResetPromptResponses, RestartAgentData, RestartAgentErrors, RestartAgentResponses, ResumeAgentData, ResumeAgentErrors, ResumeAgentResponses, RunNowHandlerData, RunNowHandlerErrors, RunNowHandlerResponses, SavePromptData, SavePromptErrors, SavePromptResponses, SaveRecipeData, SaveRecipeErrors, SaveRecipeResponses, ScanRecipeData, ScanRecipeResponses, ScheduleRecipeData, ScheduleRecipeErrors, ScheduleRecipeResponses, SearchHfModelsData, SearchHfModelsErrors, SearchHfModelsResponses, SearchSessionsData, SearchSessionsErrors, SearchSessionsResponses, SendTelemetryEventData, SendTelemetryEventResponses, SessionCancelData, SessionCancelResponses, SessionEventsData, SessionEventsErrors, SessionEventsResponses, SessionReplyData, SessionReplyErrors, SessionReplyResponses, SessionsHandlerData, SessionsHandlerErrors, SessionsHandlerResponses, SetConfigProviderData, SetRecipeSlashCommandData, SetRecipeSlashCommandErrors, SetRecipeSlashCommandResponses, StartAgentData, StartAgentErrors, StartAgentResponses, StartNanogptSetupData, StartNanogptSetupResponses, StartOpenrouterSetupData, StartOpenrouterSetupResponses, StartTetrateSetupData, StartTetrateSetupResponses, StartTunnelData, StartTunnelErrors, StartTunnelResponses, StatusData, StatusResponses, StopAgentData, StopAgentErrors, StopAgentResponses, StopTunnelData, StopTunnelErrors, StopTunnelResponses, SystemInfoData, SystemInfoResponses, TranscribeDictationData, TranscribeDictationErrors, TranscribeDictationResponses, UnpauseScheduleData, UnpauseScheduleErrors, UnpauseScheduleResponses, UpdateAgentProviderData, UpdateAgentProviderErrors, UpdateAgentProviderResponses, UpdateCustomProviderData, UpdateCustomProviderErrors, UpdateCustomProviderResponses, UpdateFromSessionData, UpdateFromSessionErrors, UpdateFromSessionResponses, UpdateModelSettingsData, UpdateModelSettingsErrors, UpdateModelSettingsResponses, UpdateScheduleData, UpdateScheduleErrors, UpdateScheduleResponses, UpdateSessionData, UpdateSessionErrors, UpdateSessionNameData, UpdateSessionNameErrors, UpdateSessionNameResponses, UpdateSessionResponses, UpdateSessionUserRecipeValuesData, UpdateSessionUserRecipeValuesErrors, UpdateSessionUserRecipeValuesResponses, UpdateWorkingDirData, UpdateWorkingDirErrors, UpdateWorkingDirResponses, UpsertConfigData, UpsertConfigErrors, UpsertConfigResponses, UpsertPermissionsData, UpsertPermissionsErrors, UpsertPermissionsResponses, ValidateConfigData, ValidateConfigErrors, ValidateConfigResponses } from './types.gen';
+import type { AddExtensionData, AddExtensionErrors, AddExtensionResponses, AgentAddExtensionData, AgentAddExtensionErrors, AgentAddExtensionResponses, AgentRemoveExtensionData, AgentRemoveExtensionErrors, AgentRemoveExtensionResponses, BackupConfigData, BackupConfigErrors, BackupConfigResponses, CallToolData, CallToolErrors, CallToolResponses, CancelDownloadData, CancelDownloadErrors, CancelDownloadResponses, CancelLocalModelDownloadData, CancelLocalModelDownloadErrors, CancelLocalModelDownloadResponses, CheckProviderData, CleanupProviderCacheData, CleanupProviderCacheErrors, CleanupProviderCacheResponses, ConfigureProviderOauthData, ConfigureProviderOauthErrors, ConfigureProviderOauthResponses, ConfirmToolActionData, ConfirmToolActionErrors, ConfirmToolActionResponses, CreateCustomProviderData, CreateCustomProviderErrors, CreateCustomProviderResponses, CreateRecipeData, CreateRecipeErrors, CreateRecipeResponses, CreateScheduleData, CreateScheduleErrors, CreateScheduleResponses, DecodeRecipeData, DecodeRecipeErrors, DecodeRecipeResponses, DeleteLocalModelData, DeleteLocalModelErrors, DeleteLocalModelResponses, DeleteModelData, DeleteModelErrors, DeleteModelResponses, DeleteRecipeData, DeleteRecipeErrors, DeleteRecipeResponses, DeleteScheduleData, DeleteScheduleErrors, DeleteScheduleResponses, DeleteSessionData, DeleteSessionErrors, DeleteSessionResponses, DetectProviderData, DetectProviderErrors, DetectProviderResponses, DiagnosticsData, DiagnosticsErrors, DiagnosticsResponses, DownloadHfModelData, DownloadHfModelErrors, DownloadHfModelResponses, DownloadModelData, DownloadModelErrors, DownloadModelResponses, EncodeRecipeData, EncodeRecipeErrors, EncodeRecipeResponses, ExportAppData, ExportAppErrors, ExportAppResponses, ExportSessionData, ExportSessionErrors, ExportSessionResponses, ForkSessionData, ForkSessionErrors, ForkSessionResponses, GetCanonicalModelInfoData, GetCanonicalModelInfoResponses, GetCustomProviderData, GetCustomProviderErrors, GetCustomProviderResponses, GetDictationConfigData, GetDictationConfigResponses, GetDownloadProgressData, GetDownloadProgressErrors, GetDownloadProgressResponses, GetExtensionsData, GetExtensionsErrors, GetExtensionsResponses, GetLocalModelDownloadProgressData, GetLocalModelDownloadProgressErrors, GetLocalModelDownloadProgressResponses, GetModelSettingsData, GetModelSettingsErrors, GetModelSettingsResponses, GetPromptData, GetPromptErrors, GetPromptResponses, GetPromptsData, GetPromptsResponses, GetProviderCatalogData, GetProviderCatalogErrors, GetProviderCatalogResponses, GetProviderCatalogTemplateData, GetProviderCatalogTemplateErrors, GetProviderCatalogTemplateResponses, GetProviderModelsData, GetProviderModelsErrors, GetProviderModelsResponses, GetRepoFilesData, GetRepoFilesResponses, GetSessionData, GetSessionErrors, GetSessionExtensionsData, GetSessionExtensionsErrors, GetSessionExtensionsResponses, GetSessionInsightsData, GetSessionInsightsErrors, GetSessionInsightsResponses, GetSessionResponses, GetSlashCommandsData, GetSlashCommandsResponses, GetToolsData, GetToolsErrors, GetToolsResponses, GetTunnelStatusData, GetTunnelStatusResponses, ImportAppData, ImportAppErrors, ImportAppResponses, ImportSessionData, ImportSessionErrors, ImportSessionResponses, InitConfigData, InitConfigErrors, InitConfigResponses, InspectRunningJobData, InspectRunningJobErrors, InspectRunningJobResponses, KillRunningJobData, KillRunningJobResponses, ListAppsData, ListAppsErrors, ListAppsResponses, ListLocalModelsData, ListLocalModelsResponses, ListModelsData, ListModelsResponses, ListRecipesData, ListRecipesErrors, ListRecipesResponses, ListSchedulesData, ListSchedulesErrors, ListSchedulesResponses, ListSessionsData, ListSessionsErrors, ListSessionsResponses, McpUiProxyData, McpUiProxyErrors, McpUiProxyResponses, ParseRecipeData, ParseRecipeErrors, ParseRecipeResponses, PauseScheduleData, PauseScheduleErrors, PauseScheduleResponses, ProvidersData, ProvidersResponses, ReadAllConfigData, ReadAllConfigResponses, ReadConfigData, ReadConfigErrors, ReadConfigResponses, ReadResourceData, ReadResourceErrors, ReadResourceResponses, RecipeToYamlData, RecipeToYamlErrors, RecipeToYamlResponses, RecoverConfigData, RecoverConfigErrors, RecoverConfigResponses, RemoveConfigData, RemoveConfigErrors, RemoveConfigResponses, RemoveCustomProviderData, RemoveCustomProviderErrors, RemoveCustomProviderResponses, RemoveExtensionData, RemoveExtensionErrors, RemoveExtensionResponses, ReplyData, ReplyErrors, ReplyResponses, ResetPromptData, ResetPromptErrors, ResetPromptResponses, RestartAgentData, RestartAgentErrors, RestartAgentResponses, ResumeAgentData, ResumeAgentErrors, ResumeAgentResponses, RunNowHandlerData, RunNowHandlerErrors, RunNowHandlerResponses, SavePromptData, SavePromptErrors, SavePromptResponses, SaveRecipeData, SaveRecipeErrors, SaveRecipeResponses, ScanRecipeData, ScanRecipeResponses, ScheduleRecipeData, ScheduleRecipeErrors, ScheduleRecipeResponses, SearchHfModelsData, SearchHfModelsErrors, SearchHfModelsResponses, SearchSessionsData, SearchSessionsErrors, SearchSessionsResponses, SendTelemetryEventData, SendTelemetryEventResponses, SessionCancelData, SessionCancelResponses, SessionEventsData, SessionEventsErrors, SessionEventsResponses, SessionReplyData, SessionReplyErrors, SessionReplyResponses, SessionsHandlerData, SessionsHandlerErrors, SessionsHandlerResponses, SetConfigProviderData, SetRecipeSlashCommandData, SetRecipeSlashCommandErrors, SetRecipeSlashCommandResponses, StartAgentData, StartAgentErrors, StartAgentResponses, StartNanogptSetupData, StartNanogptSetupResponses, StartOpenrouterSetupData, StartOpenrouterSetupResponses, StartTetrateSetupData, StartTetrateSetupResponses, StartTunnelData, StartTunnelErrors, StartTunnelResponses, StatusData, StatusResponses, StopAgentData, StopAgentErrors, StopAgentResponses, StopTunnelData, StopTunnelErrors, StopTunnelResponses, SystemInfoData, SystemInfoResponses, TranscribeDictationData, TranscribeDictationErrors, TranscribeDictationResponses, UnpauseScheduleData, UnpauseScheduleErrors, UnpauseScheduleResponses, UpdateAgentProviderData, UpdateAgentProviderErrors, UpdateAgentProviderResponses, UpdateCustomProviderData, UpdateCustomProviderErrors, UpdateCustomProviderResponses, UpdateFromSessionData, UpdateFromSessionErrors, UpdateFromSessionResponses, UpdateModelContextData, UpdateModelContextErrors, UpdateModelContextResponses, UpdateModelSettingsData, UpdateModelSettingsErrors, UpdateModelSettingsResponses, UpdateScheduleData, UpdateScheduleErrors, UpdateScheduleResponses, UpdateSessionData, UpdateSessionErrors, UpdateSessionNameData, UpdateSessionNameErrors, UpdateSessionNameResponses, UpdateSessionResponses, UpdateSessionUserRecipeValuesData, UpdateSessionUserRecipeValuesErrors, UpdateSessionUserRecipeValuesResponses, UpdateWorkingDirData, UpdateWorkingDirErrors, UpdateWorkingDirResponses, UpsertConfigData, UpsertConfigErrors, UpsertConfigResponses, UpsertPermissionsData, UpsertPermissionsErrors, UpsertPermissionsResponses, ValidateConfigData, ValidateConfigErrors, ValidateConfigResponses } from './types.gen';
 
 export type Options<TData extends TDataShape = TDataShape, ThrowOnError extends boolean = boolean> = Options2<TData, ThrowOnError> & {
     /**
@@ -123,6 +123,15 @@ export const updateFromSession = <ThrowOnError extends boolean = false>(options:
     }
 });
 
+export const updateModelContext = <ThrowOnError extends boolean = false>(options: Options<UpdateModelContextData, ThrowOnError>) => (options.client ?? client).post<UpdateModelContextResponses, UpdateModelContextErrors, ThrowOnError>({
+    url: '/agent/update_model_context',
+    ...options,
+    headers: {
+        'Content-Type': 'application/json',
+        ...options.headers
+    }
+});
+
 export const updateAgentProvider = <ThrowOnError extends boolean = false>(options: Options<UpdateAgentProviderData, ThrowOnError>) => (options.client ?? client).post<UpdateAgentProviderResponses, UpdateAgentProviderErrors, ThrowOnError>({
     url: '/agent/update_provider',
     ...options,
diff --git a/ui/desktop/src/api/types.gen.ts b/ui/desktop/src/api/types.gen.ts
index 6add7592e84e..8c00b1f5fde9 100644
--- a/ui/desktop/src/api/types.gen.ts
+++ b/ui/desktop/src/api/types.gen.ts
@@ -1550,6 +1550,16 @@ export type UpdateFromSessionRequest = {
     session_id: string;
 };
 
+export type UpdateModelContextRequest = {
+    content?: Array<unknown> | null;
+    /**
+     * Key identifying the MCP App (typically `"{extension}__{resourceUri}"`)
+     */
+    key: string;
+    sessionId: string;
+    structuredContent?: unknown;
+};
+
 export type UpdateProviderRequest = {
     context_limit?: number | null;
     model?: string | null;
@@ -2074,6 +2084,35 @@ export type UpdateFromSessionResponses = {
     200: unknown;
 };
 
+export type UpdateModelContextData = {
+    body: UpdateModelContextRequest;
+    path?: never;
+    query?: never;
+    url: '/agent/update_model_context';
+};
+
+export type UpdateModelContextErrors = {
+    /**
+     * Unauthorized
+     */
+    401: unknown;
+    /**
+     * Agent not initialized
+     */
+    424: unknown;
+    /**
+     * Internal server error
+     */
+    500: unknown;
+};
+
+export type UpdateModelContextResponses = {
+    /**
+     * Model context updated
+     */
+    200: unknown;
+};
+
 export type UpdateAgentProviderData = {
     body: UpdateProviderRequest;
     path?: never;
diff --git a/ui/desktop/src/components/McpApps/McpAppRenderer.tsx b/ui/desktop/src/components/McpApps/McpAppRenderer.tsx
index 4d442e69fb29..34d094ea51f9 100644
--- a/ui/desktop/src/components/McpApps/McpAppRenderer.tsx
+++ b/ui/desktop/src/components/McpApps/McpAppRenderer.tsx
@@ -599,6 +599,34 @@ export default function McpAppRenderer({
 
   const handleFallbackRequest = useCallback(
     async (request: JSONRPCRequest, _extra: RequestHandlerExtra) => {
+      if (request.method === 'ui/update-model-context') {
+        if (!sessionId || !apiHost || !secretKey) {
+          throw new Error('Session not initialized for model context update');
+        }
+        const params = request.params as {
+          content?: Array<{ type: string; text?: string }>;
+          structuredContent?: Record<string, unknown>;
+        };
+        const key = `${extensionName}__${resourceUri}`;
+        const response = await fetch(`${apiHost}/agent/update_model_context`, {
+          method: 'POST',
+          headers: {
+            'Content-Type': 'application/json',
+            'X-Secret-Key': secretKey,
+          },
+          body: JSON.stringify({
+            sessionId,
+            key,
+            content: params?.content ?? null,
+            structuredContent: params?.structuredContent ?? null,
+          }),
+        });
+        if (!response.ok) {
+          throw new Error(`Model context update failed: ${response.statusText}`);
+        }
+        return {};
+      }
+
       if (request.method === 'sampling/createMessage') {
         if (!sessionId || !apiHost || !secretKey) {
           throw new Error('Session not initialized for sampling request');
@@ -630,7 +658,7 @@ export default function McpAppRenderer({
         message: `Unhandled JSON-RPC method: ${request.method ?? '<unknown>'}`,
       };
     },
-    [sessionId, apiHost, secretKey]
+    [sessionId, apiHost, secretKey, extensionName, resourceUri]
   );
 
   const handleError = useCallback((err: Error) => {

From 8d191713b6212b1754e24f78fba321687ce62813 Mon Sep 17 00:00:00 2001
From: Andrew Harvard <aharvard@squareup.com>
Date: Fri, 20 Mar 2026 16:13:30 -0400
Subject: [PATCH 2/5] fix: XML-escape MCP App context before injection

Escape <, >, &, and " in app-provided text and keys before wrapping
them in <mcp-app-context> XML blocks. Prevents malformed markup from
benign payloads (e.g. code snippets) and blocks malicious apps from
closing the tag to spoof extra context sections.

Adds a test covering special character escaping.

Signed-off-by: Andrew Harvard <aharvard@squareup.com>
Co-authored-by: Goose <opensource@block.xyz>
Ai-assisted: true
---
 crates/goose/src/agents/agent.rs | 40 ++++++++++++++++++++++++++++----
 1 file changed, 35 insertions(+), 5 deletions(-)

diff --git a/crates/goose/src/agents/agent.rs b/crates/goose/src/agents/agent.rs
index 87328ba2774e..0ad7bde101be 100644
--- a/crates/goose/src/agents/agent.rs
+++ b/crates/goose/src/agents/agent.rs
@@ -64,6 +64,13 @@ use tracing::{debug, error, info, instrument, warn};
 const DEFAULT_MAX_TURNS: u32 = 1000;
 const COMPACTION_THINKING_TEXT: &str = "goose is compacting the conversation...";
 
+fn xml_escape(s: &str) -> String {
+    s.replace('&', "&amp;")
+        .replace('<', "&lt;")
+        .replace('>', "&gt;")
+        .replace('"', "&quot;")
+}
+
 /// Context provided by an MCP App via `ui/update-model-context`.
 /// Each update overwrites the previous one for the same key.
 #[derive(Clone, Debug)]
@@ -507,18 +514,19 @@ impl Agent {
 
         let mut parts = Vec::new();
         for (key, ctx) in contexts.iter() {
-            let mut section = format!("<mcp-app-context source=\"{key}\">\n");
+            let escaped_key = xml_escape(key);
+            let mut section = format!("<mcp-app-context source=\"{escaped_key}\">\n");
             if let Some(content) = &ctx.content {
                 for block in content {
                     if let Some(text) = block.get("text").and_then(|v| v.as_str()) {
-                        section.push_str(text);
+                        section.push_str(&xml_escape(text));
                         section.push('\n');
                     }
                 }
             }
             if let Some(structured) = &ctx.structured_content {
                 if let Ok(json_str) = serde_json::to_string_pretty(structured) {
-                    section.push_str(&json_str);
+                    section.push_str(&xml_escape(&json_str));
                     section.push('\n');
                 }
             }
@@ -2437,7 +2445,29 @@ mod tests {
             .await;
 
         let text = agent.collect_mcp_app_contexts().await.unwrap();
-        assert!(text.contains("\"items\": 3"));
-        assert!(text.contains("\"total\": 150"));
+        assert!(text.contains("&quot;items&quot;: 3"));
+        assert!(text.contains("&quot;total&quot;: 150"));
+    }
+
+    #[tokio::test]
+    async fn test_mcp_app_context_escapes_xml_special_chars() {
+        let agent = Agent::new();
+
+        agent
+            .update_mcp_app_context(
+                "ext__<script>".to_string(),
+                McpAppContext {
+                    content: Some(vec![
+                        serde_json::json!({"type": "text", "text": "a < b & c > d"}),
+                    ]),
+                    structured_content: None,
+                },
+            )
+            .await;
+
+        let text = agent.collect_mcp_app_contexts().await.unwrap();
+        assert!(text.contains("&lt;script&gt;"));
+        assert!(text.contains("a &lt; b &amp; c &gt; d"));
+        assert!(!text.contains("<script>"));
     }
 }

From 9fa95fbda7064451ee513b891b21654b222ba317 Mon Sep 17 00:00:00 2001
From: Andrew Harvard <aharvard@squareup.com>
Date: Fri, 20 Mar 2026 16:34:50 -0400
Subject: [PATCH 3/5] fix: serialize non-text content blocks in MCP App context

Content blocks without a text field (e.g. image, resource) were
silently dropped during context collection. Now falls back to JSON
serialization so the model sees all block types.

Signed-off-by: Andrew Harvard <aharvard@squareup.com>
Co-authored-by: Goose <opensource@block.xyz>
Ai-assisted: true
---
 crates/goose/src/agents/agent.rs | 26 +++++++++++++++++++++++++-
 1 file changed, 25 insertions(+), 1 deletion(-)

diff --git a/crates/goose/src/agents/agent.rs b/crates/goose/src/agents/agent.rs
index 0ad7bde101be..9fcf8a2295be 100644
--- a/crates/goose/src/agents/agent.rs
+++ b/crates/goose/src/agents/agent.rs
@@ -520,8 +520,10 @@ impl Agent {
                 for block in content {
                     if let Some(text) = block.get("text").and_then(|v| v.as_str()) {
                         section.push_str(&xml_escape(text));
-                        section.push('\n');
+                    } else if let Ok(json_str) = serde_json::to_string(block) {
+                        section.push_str(&xml_escape(&json_str));
                     }
+                    section.push('\n');
                 }
             }
             if let Some(structured) = &ctx.structured_content {
@@ -2470,4 +2472,26 @@ mod tests {
         assert!(text.contains("a &lt; b &amp; c &gt; d"));
         assert!(!text.contains("<script>"));
     }
+
+    #[tokio::test]
+    async fn test_mcp_app_context_non_text_blocks_serialized() {
+        let agent = Agent::new();
+
+        agent
+            .update_mcp_app_context(
+                "ext__ui://app".to_string(),
+                McpAppContext {
+                    content: Some(vec![
+                        serde_json::json!({"type": "text", "text": "hello"}),
+                        serde_json::json!({"type": "image", "data": "base64..."}),
+                    ]),
+                    structured_content: None,
+                },
+            )
+            .await;
+
+        let text = agent.collect_mcp_app_contexts().await.unwrap();
+        assert!(text.contains("hello"));
+        assert!(text.contains("&quot;type&quot;:&quot;image&quot;"));
+    }
 }

From 8b80b9fe7a7508fa4f5f8c3f0256ed231edd53b9 Mon Sep 17 00:00:00 2001
From: Andrew Harvard <aharvard@squareup.com>
Date: Fri, 20 Mar 2026 16:56:14 -0400
Subject: [PATCH 4/5] fix: strip binary data from non-text content blocks

When serializing non-text content blocks (e.g. images), remove the
`data` field before JSON-stringifying. This prevents base64 payloads
from bloating the synthetic MOIM message with thousands of wasted
tokens. The block metadata (type, mimeType, etc.) is preserved so the
model knows a non-text block exists without seeing the raw data.

Signed-off-by: Andrew Harvard <aharvard@squareup.com>
Co-authored-by: Goose <opensource@block.xyz>
Ai-assisted: true
---
 crates/goose/src/agents/agent.rs | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/crates/goose/src/agents/agent.rs b/crates/goose/src/agents/agent.rs
index 9fcf8a2295be..22ee80659a23 100644
--- a/crates/goose/src/agents/agent.rs
+++ b/crates/goose/src/agents/agent.rs
@@ -520,8 +520,17 @@ impl Agent {
                 for block in content {
                     if let Some(text) = block.get("text").and_then(|v| v.as_str()) {
                         section.push_str(&xml_escape(text));
-                    } else if let Ok(json_str) = serde_json::to_string(block) {
-                        section.push_str(&xml_escape(&json_str));
+                    } else {
+                        // Serialize non-text blocks but strip large binary
+                        // payloads (e.g. base64 image data) to avoid bloating
+                        // the synthetic message with thousands of tokens.
+                        let mut stripped = block.clone();
+                        if let Some(obj) = stripped.as_object_mut() {
+                            obj.remove("data");
+                        }
+                        if let Ok(json_str) = serde_json::to_string(&stripped) {
+                            section.push_str(&xml_escape(&json_str));
+                        }
                     }
                     section.push('\n');
                 }
@@ -2474,7 +2483,7 @@ mod tests {
     }
 
     #[tokio::test]
-    async fn test_mcp_app_context_non_text_blocks_serialized() {
+    async fn test_mcp_app_context_non_text_blocks_serialized_without_data() {
         let agent = Agent::new();
 
         agent
@@ -2483,7 +2492,7 @@ mod tests {
                 McpAppContext {
                     content: Some(vec![
                         serde_json::json!({"type": "text", "text": "hello"}),
-                        serde_json::json!({"type": "image", "data": "base64..."}),
+                        serde_json::json!({"type": "image", "data": "iVBORw0KGgoAAAANS...", "mimeType": "image/png"}),
                     ]),
                     structured_content: None,
                 },
@@ -2493,5 +2502,7 @@ mod tests {
         let text = agent.collect_mcp_app_contexts().await.unwrap();
         assert!(text.contains("hello"));
         assert!(text.contains("&quot;type&quot;:&quot;image&quot;"));
+        assert!(text.contains("&quot;mimeType&quot;:&quot;image/png&quot;"));
+        assert!(!text.contains("iVBORw0KGgoAAAANS"));
     }
 }

From d5e2cba51c2d5cbb8f45cc67e262c95d8f5f5997 Mon Sep 17 00:00:00 2001
From: Andrew Harvard <aharvard@squareup.com>
Date: Fri, 20 Mar 2026 17:13:14 -0400
Subject: [PATCH 5/5] fix: don't expose structuredContent or resource blobs to
 model

structuredContent is view-only hydration data and should never be
injected into the model context. Remove it from collect_mcp_app_contexts
entirely.

Also strip resource.blob from embedded resource content blocks alongside
the existing data field stripping, preventing binary payloads from
leaking into the synthetic message.

Signed-off-by: Andrew Harvard <aharvard@squareup.com>
Co-authored-by: Goose <opensource@block.xyz>
Ai-assisted: true
---
 crates/goose/src/agents/agent.rs | 38 ++++++++++++++++++++------------
 1 file changed, 24 insertions(+), 14 deletions(-)

diff --git a/crates/goose/src/agents/agent.rs b/crates/goose/src/agents/agent.rs
index 22ee80659a23..507e0f3b56fe 100644
--- a/crates/goose/src/agents/agent.rs
+++ b/crates/goose/src/agents/agent.rs
@@ -522,11 +522,16 @@ impl Agent {
                         section.push_str(&xml_escape(text));
                     } else {
                         // Serialize non-text blocks but strip large binary
-                        // payloads (e.g. base64 image data) to avoid bloating
-                        // the synthetic message with thousands of tokens.
+                        // payloads (e.g. base64 image data, embedded resource
+                        // blobs) to avoid bloating the synthetic message.
                         let mut stripped = block.clone();
                         if let Some(obj) = stripped.as_object_mut() {
                             obj.remove("data");
+                            if let Some(resource) = obj.get_mut("resource") {
+                                if let Some(res_obj) = resource.as_object_mut() {
+                                    res_obj.remove("blob");
+                                }
+                            }
                         }
                         if let Ok(json_str) = serde_json::to_string(&stripped) {
                             section.push_str(&xml_escape(&json_str));
@@ -535,12 +540,8 @@ impl Agent {
                     section.push('\n');
                 }
             }
-            if let Some(structured) = &ctx.structured_content {
-                if let Ok(json_str) = serde_json::to_string_pretty(structured) {
-                    section.push_str(&xml_escape(&json_str));
-                    section.push('\n');
-                }
-            }
+            // structuredContent is intentionally not injected — it is
+            // view-only hydration data and should never reach the model.
             section.push_str("</mcp-app-context>");
             parts.push(section);
         }
@@ -2442,22 +2443,25 @@ mod tests {
     }
 
     #[tokio::test]
-    async fn test_mcp_app_context_structured_content() {
+    async fn test_mcp_app_context_structured_content_not_injected() {
         let agent = Agent::new();
 
         agent
             .update_mcp_app_context(
                 "ext__ui://ext/tool".to_string(),
                 McpAppContext {
-                    content: None,
-                    structured_content: Some(serde_json::json!({"items": 3, "total": 150})),
+                    content: Some(vec![
+                        serde_json::json!({"type": "text", "text": "visible to model"}),
+                    ]),
+                    structured_content: Some(serde_json::json!({"secret": "hydration-only"})),
                 },
             )
             .await;
 
         let text = agent.collect_mcp_app_contexts().await.unwrap();
-        assert!(text.contains("&quot;items&quot;: 3"));
-        assert!(text.contains("&quot;total&quot;: 150"));
+        assert!(text.contains("visible to model"));
+        assert!(!text.contains("hydration-only"));
+        assert!(!text.contains("secret"));
     }
 
     #[tokio::test]
@@ -2483,7 +2487,7 @@ mod tests {
     }
 
     #[tokio::test]
-    async fn test_mcp_app_context_non_text_blocks_serialized_without_data() {
+    async fn test_mcp_app_context_non_text_blocks_strip_binary() {
         let agent = Agent::new();
 
         agent
@@ -2493,6 +2497,7 @@ mod tests {
                     content: Some(vec![
                         serde_json::json!({"type": "text", "text": "hello"}),
                         serde_json::json!({"type": "image", "data": "iVBORw0KGgoAAAANS...", "mimeType": "image/png"}),
+                        serde_json::json!({"type": "resource", "resource": {"uri": "file:///doc.pdf", "blob": "JVBERi0xLjQK...", "mimeType": "application/pdf"}}),
                     ]),
                     structured_content: None,
                 },
@@ -2501,8 +2506,13 @@ mod tests {
 
         let text = agent.collect_mcp_app_contexts().await.unwrap();
         assert!(text.contains("hello"));
+        // Image: type and mimeType preserved, data stripped
         assert!(text.contains("&quot;type&quot;:&quot;image&quot;"));
         assert!(text.contains("&quot;mimeType&quot;:&quot;image/png&quot;"));
         assert!(!text.contains("iVBORw0KGgoAAAANS"));
+        // Resource: uri and mimeType preserved, blob stripped
+        assert!(text.contains("file:///doc.pdf"));
+        assert!(text.contains("application/pdf"));
+        assert!(!text.contains("JVBERi0xLjQK"));
     }
 }