feat: Integrate MCP Apps into A2UI

[dmandar]

• Adds McpAppsCustomComponent using the official @modelcontextprotocol/ext-apps SDK.
• Implements double-iframe sandbox isolation (sandbox.html, sandbox.ts).
• Upgrades the backend MCP server (floor_plan_server.py) to a persistent SSE architecture using Starlette.
• Configures agent.py to connect via mcp.client.sse.
• Refines Vite configuration for seamless dual-origin local development.

Description

Replace this paragraph with a description of what this PR is changing or adding, and why. Consider including before/after screenshots.

List which issues are fixed by this PR. For larger changes, raising an issue first helps reduce redundant work.

Pre-launch Checklist

• I signed the CLA.
• I read the Contributors Guide.
• I read the Style Guide.
• I have added updates to the CHANGELOG.
• I updated/added relevant documentation.
• My code changes (if any) have tests.

If you need help, consider asking for advice on the discussion board.

[gemini-code-assist]

Code Review

This pull request integrates MCP Apps into A2UI by adding a new McpAppsCustomComponent, a double-iframe sandbox for security, and a persistent SSE backend. The changes are significant and well-structured. My review focuses on improving security and configuration management. I've identified critical security issues related to postMessage usage that should be addressed. Additionally, there are opportunities to improve maintainability by removing hardcoded URLs and making the code more robust. The repository's style guide requires tests for new code (line 17), which seem to be missing for the new components and server logic. Please consider adding tests to ensure the stability and correctness of these new features.