feat: introduce a2ui-in-mcpapps sample application

[sugoi-yuzuru]

Adds a sample demonstrating an MCP Application Host that isolation-tests untrusted third-party Angular components via a secure double-iframe proxy pattern.

Includes Angular client host, Python MCP Server, and isolated micro-app source.

Description

📝 Overview

Introduces a new sample application demonstrating how to host Model Context Protocol (MCP) applications that isolation-test untrusted third-party Angular components using a secure double-iframe proxy pattern.

✨ Key Changes

• New Sample Application (samples/agent/mcp/a2ui-in-mcpapps/):
  • client/: Angular host container application managing the outer save iframe.
  • server/: Python MCP server (using uv) serving micro-app resources and tools.
  • server/apps/src/: Isolated micro-app source (Simple Counter) demonstrating A2UI rendering and interactivity.
• Documentation: Added comprehensive README.md mapping architecture, communication flows (Mermaid), and setup instructions.
• Support: Updated root .gitignore to exclude generated sample assets.

✅ Verification

• Sample code added under sample directory; manual verification via local execution of client and server setups.
• Screencast : https://screencast.googleplex.com/cast/NjQwMzk4NjA3OTg3NTA3MnwyNmNmYzM4MC0zOA

---

Summary of Work

1. Analyzed Commits: Identified that the branch contains a single feature commit introducing the new sample app.
2. Scanned Diff Stats: Confirmed 40 files added covering the client container, python server, and isolated counter app framework.
3. Extracted Context: Pulled the secure double-iframe narrative from the sample's README.md.
4. Drafted PR description: Crafted a structured summary hitting intent, core components, and verification steps. Use this to populate the PR prompt.

Pre-launch Checklist

• I signed the CLA.
• I read the Contributors Guide.
• I read the Style Guide.
• I have added updates to the CHANGELOG.
• I updated/added relevant documentation.
• My code changes (if any) have tests.

If you need help, consider asking for advice on the discussion board.

[gemini-code-assist]

Code Review

This pull request introduces a new sample demonstrating a Model Context Protocol (MCP) Application Host that securely isolates untrusted Angular components using a double-iframe proxy pattern. The sample includes an Angular-based client host and a Python MCP server that serves micro-app resources and interactive tools. The review identified several critical security improvements, specifically regarding the validation of message origins and the use of explicit target origins in postMessage calls to prevent XSS and data leakage. Additionally, feedback was provided to address potential memory leaks from duplicate event listeners, fix a failing unit test expectation, and restrict the server's CORS policy.

[dmandar]

can we have a screenshot for posterity?

[sugoi-yuzuru]

can we have a screenshot for posterity?

I have a screencast in the PR, did you want a screenshot in addition?