MCP Apps: Security hardening — audit logging and resource integrity

[aharvard]

Description

Two related security hardening items for MCP Apps, per the MCP Apps specification (2026-01-26):

1. Audit logging for View-initiated RPC calls

MCP Apps can call tools and read resources on behalf of the user through the sandbox bridge. These calls are not logged in any auditable way. For security review, Goose should log which app initiated the call, the method, the tool/resource name, and a timestamp.

2. Resource integrity verification

When Goose fetches HTML content from a ui:// resource, there is no integrity verification (hash or signature) to detect tampering. This would protect against a compromised MCP server serving malicious UI content. Optionally, support an allowlist/blocklist of trusted MCP App sources.

Scope

• Add structured logging to handleCallTool and handleReadResource callbacks
• Consider a backend audit log endpoint for persistent logging
• Generate and verify content hashes for fetched UI resources
• Optionally support an allowlist/blocklist of trusted sources

Files

• ui/desktop/src/components/McpApps/McpAppRenderer.tsx
• Potentially crates/goose/src/agents/extension_manager.rs (allowlist)
• Potentially a new backend route for persistent audit logging