refactor(api): remove dead legacy unscoped /mcp/* route mounts

[viktormarinho]

Summary

Removes the legacy unscoped MCP route mounts from app.ts:

• /mcp/:connectionId (legacyProxy)
• /mcp/self (legacySelf)
• /mcp/gateway/:virtualMcpId + /mcp/virtual-mcp/:virtualMcpId (legacyVirtualMcp)
• the now-dead app.use("/mcp/...", mcpAuth) registrations + 3 orphaned imports

All MCP traffic already flows through the org-scoped /api/:org/mcp/* routes in createOrgScopedApi (which front resolveOrgFromPath + mcpAuth). These factories (createProxyRoutes, createSelfRoutes, createVirtualMcpRoutes) are unchanged and still mounted there.

Why now

Production inbound traffic (HyperDX, service:mesh, span.kind:internal, 7d) to the unscoped /mcp/self, /mcp/:connectionId, /mcp/gateway, /mcp/virtual-mcp paths has drained to ~0 — all live MCP traffic is on /api/:org/mcp/*.

Test migration

The access-control, proxy, and oauth-proxy integration suites drove their assertions through the removed unscoped surface (and, due to loose not.toBe(403) / [403,404] assertions, were passing vacuously on 404). Migrated them to /api/:org/mcp/*, seeding member rows so resolveOrgFromPath admits the principal. They now exercise the real surviving route + RBAC again.

• access-control 7/7, proxy 1/1, oauth-proxy 44/44 green vs real Postgres
• tsc --noEmit, oxlint, knip all clean

⚠️ DO NOT MERGE YET — blocked on emitter migration + drain

Several live code paths (incl. published packages) still construct these legacy URLs:

• @deco/runtime bindings.ts → ${meshUrl}/mcp/${connectionId}
• @deco/mesh-sdk constants.ts (self connection_url) + mcp-oauth.ts (no-orgSlug fallback)
• mesh decopilot/dispatch-run.ts → /mcp/virtual-mcp/${agentId}
• typegen CLI → /mcp/virtual-mcp/${mcpId}

These must be migrated to scoped paths (separate PR) and older published-package versions must drain before this can merge. Re-confirm via the deprecated route signal (note: that log currently can't fire — console.log isn't bridged to OTLP in observability/index.ts; fix that first).

🤖 Generated with Claude Code

---

Summary by cubic

Removed the legacy unscoped MCP routes and guards, consolidating all MCP traffic under /api/:org/mcp/*. Updated integration tests to use the scoped paths so they exercise real org resolution and RBAC.

• Refactors

  • Removed /mcp/:connectionId, /mcp/self, /mcp/gateway/:virtualMcpId, /mcp/virtual-mcp/:virtualMcpId mounts and their mcpAuth registrations.
  • createProxyRoutes, createSelfRoutes, and createVirtualMcpRoutes continue to run under the org-scoped API; handlers unchanged.
  • Migrated access-control, proxy, and oauth-proxy integration tests to scoped routes and seeded org membership.

• Migration

  • Blocked until all emitters switch to scoped URLs: @deco/runtime (bindings), @deco/mesh-sdk (constants and OAuth fallback), mesh decopilot/dispatch-run.ts, and typegen CLI.
  • Allow older published versions to drain after the change.
  • Reconfirm via the deprecated-route signal; first bridge console.log to OTLP in observability/index.ts.

^{Written for commit cbe5f23. Summary will update on new commits.}

[github-actions]

🧪 Benchmark

Should we run the Virtual MCP strategy benchmark for this PR?

React with 👍 to run the benchmark.

Reaction	Action
👍	Run quick benchmark (10 & 128 tools)

Benchmark will run on the next push after you react.