Add /:org/mcp and /:org/:workspace/mcp context routes

[RhysSullivan]

The plan moves cloud's "active org/workspace" off hidden state and onto
the URL. This wires that into the MCP edge:

• /:org/mcp and /:org/:workspace/mcp are first-class MCP routes.
  /mcp stays as a compatibility fallback that resolves to the user's
  first org membership (oldest by created_at). No "last active workspace"
  fallback, per the plan.

• The MCP session DO is now keyed off the URL-resolved (org, workspace?)
  pair rather than the JWT's org_id claim. The JWT proves identity;
  the URL is the truth. validateSessionOwner checks workspace id too,
  so a session opened against one workspace can't be reused against
  another (or against no workspace).

• /.well-known/oauth-protected-resource/:org/mcp and the workspace
  variant are published, with the resource field pointing at the
  matching public MCP URL.

• oauthCallbackUrl mirrors the page's org/workspace prefix into the
  redirect URI so OAuth callbacks land in the same scope-stack context
  the source/connection lives in.

• Test worker gets a /__test__/seed-workspace endpoint and a test-only
  McpUrlContextResolver that auto-mirrors org rows from the bearer for
  the fallback path (we can't reach WorkOS from the test isolate).

[RhysSullivan]

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

• Add /:org/mcp and /:org/:workspace/mcp context routes #514 👈 (View in Graphite)
• WIP: move file routes under /$org and reshape auth.me #507 : 1 other dependent PR (#508 )
• Add scope-stack builders, URL-context resolver, workspace executor #506
• Add workspaces CRUD API under OrgHttpApi #505
• Cut over scope ids to deterministic prefixed form #504
• Add organizations.handle and workspaces table #503
• Add cloud id helpers: prefixed local ids, scope id constructors, handle slugifier #502
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[pkg-pr-new]

Open in StackBlitz

@executor-js/cli

npm i https://pkg.pr.new/@executor-js/cli@514

@executor-js/config

npm i https://pkg.pr.new/@executor-js/config@514

@executor-js/execution

npm i https://pkg.pr.new/@executor-js/execution@514

@executor-js/sdk

npm i https://pkg.pr.new/@executor-js/sdk@514

@executor-js/storage-core

npm i https://pkg.pr.new/@executor-js/storage-core@514

@executor-js/codemode-core

npm i https://pkg.pr.new/@executor-js/codemode-core@514

@executor-js/runtime-quickjs

npm i https://pkg.pr.new/@executor-js/runtime-quickjs@514

@executor-js/plugin-file-secrets

npm i https://pkg.pr.new/@executor-js/plugin-file-secrets@514

@executor-js/plugin-google-discovery

npm i https://pkg.pr.new/@executor-js/plugin-google-discovery@514

@executor-js/plugin-graphql

npm i https://pkg.pr.new/@executor-js/plugin-graphql@514

@executor-js/plugin-keychain

npm i https://pkg.pr.new/@executor-js/plugin-keychain@514

@executor-js/plugin-mcp

npm i https://pkg.pr.new/@executor-js/plugin-mcp@514

@executor-js/plugin-onepassword

npm i https://pkg.pr.new/@executor-js/plugin-onepassword@514

@executor-js/plugin-openapi

npm i https://pkg.pr.new/@executor-js/plugin-openapi@514

executor

npm i https://pkg.pr.new/executor@514

commit: b1cb75c

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Preview URL	Updated (UTC)
✅ Deployment successful! View logs	executor-marketing	b1cb75c	Commit Preview URL Branch Preview URL	May 04 2026, 05:16 PM

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Updated (UTC)
✅ Deployment successful! View logs	executor-cloud	b1cb75c	May 04 2026, 05:16 PM