v1.4.15

Highlights

Install paths fixed

npm i -g executor and bun i -g executor both work cleanly on a fresh machine. For machines without node, curl … install.sh | bash does the same thing.

1.4.13 and 1.4.14 were partial releases that didn't make it to npm cleanly. If you tried npm i -g executor@latest and got an older version, that's why. 1.4.15 is the first complete release of the new packaging.

MCP sources honor upstream destructiveHint

MCP sources now read destructiveHint from upstream tool annotations. Tools marked destructive will require approval before running, surfaced via MCP elicitation. Refresh existing sources (or remove + re-add) to pick up annotations on tools added before this change.

Set tool policies from the Tools page

The local UI gains a Policies tab for managing approval rules, plus a per-row action menu on the Tools tree. Hover any tool or category and pick Always run / Require approval / Block / Clear — leaf rows save a rule for the exact tool id, group rows save a prefix.* wildcard. New rules are auto-placed by specificity so a freshly-added group rule never silently shadows an existing leaf rule. The same menu is available from the tool detail header and from any source-detail page.

Per-user OAuth for OpenAPI and MCP sources

OpenAPI and MCP sources now carry first-class Connections — a per-user sign-in state decoupled from the source definition itself.

• Save an OAuth2 OpenAPI or MCP source before signing in; users sign in later from the source page.
• Each connection refreshes independently, with concurrent refreshes deduped across the SDK. When a refresh can't recover, the SDK surfaces an explicit reauth-required signal instead of silently failing.
• The Edit OpenAPI Source page has a new Connections pane showing every user who has signed in and their status. Each source in the sidebar now shows a live connection badge.
• Existing OpenAPI + MCP + google-discovery OAuth rows migrate into Connections automatically on first launch — no user action required.

OpenAPI: client-credentials, non-JSON bodies, source refresh

• Full OAuth2 client-credentials flow end-to-end.
• Non-JSON request bodies dispatch correctly by content type; Executor honors OAS3 encoding and multi-content operations, and lets the caller pick which content type to send.
• Relative OAuth2 URLs resolve against the source's baseUrl.
• Refresh a source by re-fetching its origin URL from the edit page.

Layered scope isolation

Multi-tenant deployments get a proper security primitive. Every read and write now passes through a layered ScopeStack, with the write scope declared explicitly. Plugins have adopted the API; the UI exposes it via CreatableSecretPicker; and WorkOS sources enforce tenant-ownership on every access. Per-scope blob and secret lookups are batched into single IN queries, so the extra check doesn't cost a round-trip.

Natural CLI for tool discovery and invocation

Call tools by path instead of writing TypeScript:

executor call github issues create '{"owner":"octocat","repo":"Hello-World","title":"Hi"}'
executor tools search "send email"
executor tools sources
executor tools describe github.issues.create

executor call <path> --help browses namespaces → resources → methods, with --match <text> --limit <n> to narrow huge namespaces. Errors are normalized for agent consumption, and the resume / help UX is cleaner for non-interactive flows.

Daemon lifecycle

executor daemon run
executor daemon status
executor daemon stop
executor daemon restart

executor call, executor resume, and executor tools … auto-start a local daemon if one isn't running. The daemon pointer is scope-aware, and if the default port is busy the CLI transparently picks an open one — so two projects can run side-by-side without collisions.

executor daemon run now backgrounds by default. Pass --foreground to keep it attached for log inspection.

OpenTelemetry everywhere

Tool dispatch, plugins, storage, schema, and transport are now fully instrumented with OTEL spans, and the runtime is threaded through dispatch so spans actually export in all runtimes.

New presets

• Notion is now a featured MCP preset.

Performance

• buildExecuteDescription no longer calls executor.tools.list, making tool-description generation measurably faster on large workspaces.
• Per-scope blob and secret lookups now use a single IN query instead of N per-scope round-trips.

Fixes

• Upgrade: preserve legacy OAuth connection backfills after the connection.kind column is removed.
• OpenAPI: refreshing or editing sources with legacy inline secret/OAuth config now materializes the new source binding rows instead of dropping credentials.
• Keychain: skip provider registration when the OS backend is unreachable (no more startup failure when running headless on Linux without a keyring).
• Local server: return 404 for missing static assets instead of serving HTML.
• Tests: Windows compatibility across the suite.

Breaking changes

executor call no longer accepts inline code

The old TypeScript-as-argument forms are gone:

executor call '<code>'
executor call --file script.ts
executor call --stdin

Migrate to explicit tool paths:

# before
executor call 'return await tools.github.issues.list({ owner, repo })'
# after
executor call github issues list '{"owner":"octocat","repo":"Hello-World"}'

tools.discover(...) becomes executor tools search "<query>".

sources.add CLI form simplified

Use the dedicated tool:

executor call openapi addSource '{
  "spec": "https://petstore3.swagger.io/api/v3/openapi.json",
  "namespace": "petstore",
  "baseUrl": "https://petstore3.swagger.io/api/v3"
}'

Pass baseUrl when the OpenAPI document has relative servers entries.

SDK: layered scope

Every SDK write now takes an explicit scope. If you have plugins or host code calling the SDK directly, they'll need to adopt the new layered-scope API (see the in-tree plugins for reference — they've all been migrated). This does not affect users of the CLI or web UI.

v1.4.14

Highlights

Install paths fixed

npm i -g executor and bun i -g executor both work cleanly on a fresh machine. For machines without node, curl … install.sh | bash does the same thing.

1.4.13 was a partial release — it only made it to GitHub Releases, not npm. If you tried npm i -g executor and got 1.4.12, that's why. 1.4.14 is the first complete release.

MCP sources honor upstream destructiveHint

MCP sources now read destructiveHint from upstream tool annotations. Tools marked destructive will require approval before running, surfaced via MCP elicitation. Refresh existing sources (or remove + re-add) to pick up annotations on tools added before this change.

Set tool policies from the Tools page

The local UI gains a Policies tab for managing approval rules, plus a per-row action menu on the Tools tree. Hover any tool or category and pick Always run / Require approval / Block / Clear — leaf rows save a rule for the exact tool id, group rows save a prefix.* wildcard. New rules are auto-placed by specificity so a freshly-added group rule never silently shadows an existing leaf rule. The same menu is available from the tool detail header and from any source-detail page.

Per-user OAuth for OpenAPI and MCP sources

OpenAPI and MCP sources now carry first-class Connections — a per-user sign-in state decoupled from the source definition itself.

• Save an OAuth2 OpenAPI or MCP source before signing in; users sign in later from the source page.
• Each connection refreshes independently, with concurrent refreshes deduped across the SDK. When a refresh can't recover, the SDK surfaces an explicit reauth-required signal instead of silently failing.
• The Edit OpenAPI Source page has a new Connections pane showing every user who has signed in and their status. Each source in the sidebar now shows a live connection badge.
• Existing OpenAPI + MCP + google-discovery OAuth rows migrate into Connections automatically on first launch — no user action required.

OpenAPI: client-credentials, non-JSON bodies, source refresh

• Full OAuth2 client-credentials flow end-to-end.
• Non-JSON request bodies dispatch correctly by content type; Executor honors OAS3 encoding and multi-content operations, and lets the caller pick which content type to send.
• Relative OAuth2 URLs resolve against the source's baseUrl.
• Refresh a source by re-fetching its origin URL from the edit page.

Layered scope isolation

Multi-tenant deployments get a proper security primitive. Every read and write now passes through a layered ScopeStack, with the write scope declared explicitly. Plugins have adopted the API; the UI exposes it via CreatableSecretPicker; and WorkOS sources enforce tenant-ownership on every access. Per-scope blob and secret lookups are batched into single IN queries, so the extra check doesn't cost a round-trip.

Natural CLI for tool discovery and invocation

Call tools by path instead of writing TypeScript:

executor call github issues create '{"owner":"octocat","repo":"Hello-World","title":"Hi"}'
executor tools search "send email"
executor tools sources
executor tools describe github.issues.create

executor call <path> --help browses namespaces → resources → methods, with --match <text> --limit <n> to narrow huge namespaces. Errors are normalized for agent consumption, and the resume / help UX is cleaner for non-interactive flows.

Daemon lifecycle

executor daemon run
executor daemon status
executor daemon stop
executor daemon restart

executor call, executor resume, and executor tools … auto-start a local daemon if one isn't running. The daemon pointer is scope-aware, and if the default port is busy the CLI transparently picks an open one — so two projects can run side-by-side without collisions.

executor daemon run now backgrounds by default. Pass --foreground to keep it attached for log inspection.

OpenTelemetry everywhere

Tool dispatch, plugins, storage, schema, and transport are now fully instrumented with OTEL spans, and the runtime is threaded through dispatch so spans actually export in all runtimes.

New presets

• Notion is now a featured MCP preset.

Performance

• buildExecuteDescription no longer calls executor.tools.list, making tool-description generation measurably faster on large workspaces.
• Per-scope blob and secret lookups now use a single IN query instead of N per-scope round-trips.

Fixes

• Upgrade: preserve legacy OAuth connection backfills after the connection.kind column is removed.
• OpenAPI: refreshing or editing sources with legacy inline secret/OAuth config now materializes the new source binding rows instead of dropping credentials.
• Keychain: skip provider registration when the OS backend is unreachable (no more startup failure when running headless on Linux without a keyring).
• Local server: return 404 for missing static assets instead of serving HTML.
• Tests: Windows compatibility across the suite.

Breaking changes

executor call no longer accepts inline code

The old TypeScript-as-argument forms are gone:

executor call '<code>'
executor call --file script.ts
executor call --stdin

Migrate to explicit tool paths:

# before
executor call 'return await tools.github.issues.list({ owner, repo })'
# after
executor call github issues list '{"owner":"octocat","repo":"Hello-World"}'

tools.discover(...) becomes executor tools search "<query>".

sources.add CLI form simplified

Use the dedicated tool:

executor call openapi addSource '{
  "spec": "https://petstore3.swagger.io/api/v3/openapi.json",
  "namespace": "petstore",
  "baseUrl": "https://petstore3.swagger.io/api/v3"
}'

Pass baseUrl when the OpenAPI document has relative servers entries.

SDK: layered scope

Every SDK write now takes an explicit scope. If you have plugins or host code calling the SDK directly, they'll need to adopt the new layered-scope API (see the in-tree plugins for reference — they've all been migrated). This does not affect users of the CLI or web UI.

v1.4.13

Highlights

Platform binaries distributed via optionalDependencies

The CLI now ships its native binary as one of several executor-<plat>-<arch> packages listed under optionalDependencies, the same pattern esbuild/swc/opencode use. npm and bun only fetch the matching binary, and there's no postinstall network call — npm i -g executor and bun i -g executor (which blocks postinstall by default) both work. For machines without node at all, install via curl … install.sh | bash.

MCP sources honor upstream destructiveHint

MCP sources now read destructiveHint from upstream tool annotations. Tools marked destructive will require approval before running, surfaced via MCP elicitation. Refresh existing sources (or remove + re-add) to pick up annotations on tools added before this change.

Set tool policies from the Tools page

The local UI gains a Policies tab for managing approval rules, plus a per-row action menu on the Tools tree. Hover any tool or category and pick Always run / Require approval / Block / Clear — leaf rows save a rule for the exact tool id, group rows save a prefix.* wildcard. New rules are auto-placed by specificity so a freshly-added group rule never silently shadows an existing leaf rule. The same menu is available from the tool detail header and from any source-detail page.

Per-user OAuth for OpenAPI and MCP sources

OpenAPI and MCP sources now carry first-class Connections — a per-user sign-in state decoupled from the source definition itself.

• Save an OAuth2 OpenAPI or MCP source before signing in; users sign in later from the source page.
• Each connection refreshes independently, with concurrent refreshes deduped across the SDK. When a refresh can't recover, the SDK surfaces an explicit reauth-required signal instead of silently failing.
• The Edit OpenAPI Source page has a new Connections pane showing every user who has signed in and their status. Each source in the sidebar now shows a live connection badge.
• Existing OpenAPI + MCP + google-discovery OAuth rows migrate into Connections automatically on first launch — no user action required.

OpenAPI: client-credentials, non-JSON bodies, source refresh

• Full OAuth2 client-credentials flow end-to-end.
• Non-JSON request bodies dispatch correctly by content type; Executor honors OAS3 encoding and multi-content operations, and lets the caller pick which content type to send.
• Relative OAuth2 URLs resolve against the source's baseUrl.
• Refresh a source by re-fetching its origin URL from the edit page.

Layered scope isolation

Multi-tenant deployments get a proper security primitive. Every read and write now passes through a layered ScopeStack, with the write scope declared explicitly. Plugins have adopted the API; the UI exposes it via CreatableSecretPicker; and WorkOS sources enforce tenant-ownership on every access. Per-scope blob and secret lookups are batched into single IN queries, so the extra check doesn't cost a round-trip.

Natural CLI for tool discovery and invocation

Call tools by path instead of writing TypeScript:

executor call github issues create '{"owner":"octocat","repo":"Hello-World","title":"Hi"}'
executor tools search "send email"
executor tools sources
executor tools describe github.issues.create

executor call <path> --help browses namespaces → resources → methods, with --match <text> --limit <n> to narrow huge namespaces. Errors are normalized for agent consumption, and the resume / help UX is cleaner for non-interactive flows.

Daemon lifecycle

executor daemon run
executor daemon status
executor daemon stop
executor daemon restart

executor call, executor resume, and executor tools … auto-start a local daemon if one isn't running. The daemon pointer is scope-aware, and if the default port is busy the CLI transparently picks an open one — so two projects can run side-by-side without collisions.

executor daemon run now backgrounds by default. Pass --foreground to keep it attached for log inspection.

OpenTelemetry everywhere

Tool dispatch, plugins, storage, schema, and transport are now fully instrumented with OTEL spans, and the runtime is threaded through dispatch so spans actually export in all runtimes.

New presets

• Notion is now a featured MCP preset.

Performance

• buildExecuteDescription no longer calls executor.tools.list, making tool-description generation measurably faster on large workspaces.
• Per-scope blob and secret lookups now use a single IN query instead of N per-scope round-trips.

Fixes

• Upgrade: preserve legacy OAuth connection backfills after the connection.kind column is removed.
• OpenAPI: refreshing or editing sources with legacy inline secret/OAuth config now materializes the new source binding rows instead of dropping credentials.
• Keychain: skip provider registration when the OS backend is unreachable (no more startup failure when running headless on Linux without a keyring).
• Local server: return 404 for missing static assets instead of serving HTML.
• Tests: Windows compatibility across the suite.

Breaking changes

executor call no longer accepts inline code

The old TypeScript-as-argument forms are gone:

executor call '<code>'
executor call --file script.ts
executor call --stdin

Migrate to explicit tool paths:

# before
executor call 'return await tools.github.issues.list({ owner, repo })'
# after
executor call github issues list '{"owner":"octocat","repo":"Hello-World"}'

tools.discover(...) becomes executor tools search "<query>".

sources.add CLI form simplified

Use the dedicated tool:

executor call openapi addSource '{
  "spec": "https://petstore3.swagger.io/api/v3/openapi.json",
  "namespace": "petstore",
  "baseUrl": "https://petstore3.swagger.io/api/v3"
}'

Pass baseUrl when the OpenAPI document has relative servers entries.

SDK: layered scope

Every SDK write now takes an explicit scope. If you have plugins or host code calling the SDK directly, they'll need to adopt the new layered-scope API (see the in-tree plugins for reference — they've all been migrated). This does not affect users of the CLI or web UI.

v1.4.12

Highlights

MCP sources honor upstream destructiveHint

MCP sources now read destructiveHint from upstream tool annotations. Tools marked destructive will require approval before running, surfaced via MCP elicitation. Refresh existing sources (or remove + re-add) to pick up annotations on tools added before this change.

Set tool policies from the Tools page

The local UI gains a Policies tab for managing approval rules, plus a per-row action menu on the Tools tree. Hover any tool or category and pick Always run / Require approval / Block / Clear — leaf rows save a rule for the exact tool id, group rows save a prefix.* wildcard. New rules are auto-placed by specificity so a freshly-added group rule never silently shadows an existing leaf rule. The same menu is available from the tool detail header and from any source-detail page.

Per-user OAuth for OpenAPI and MCP sources

OpenAPI and MCP sources now carry first-class Connections — a per-user sign-in state decoupled from the source definition itself.

• Save an OAuth2 OpenAPI or MCP source before signing in; users sign in later from the source page.
• Each connection refreshes independently, with concurrent refreshes deduped across the SDK. When a refresh can't recover, the SDK surfaces an explicit reauth-required signal instead of silently failing.
• The Edit OpenAPI Source page has a new Connections pane showing every user who has signed in and their status. Each source in the sidebar now shows a live connection badge.
• Existing OpenAPI + MCP + google-discovery OAuth rows migrate into Connections automatically on first launch — no user action required.

OpenAPI: client-credentials, non-JSON bodies, source refresh

• Full OAuth2 client-credentials flow end-to-end.
• Non-JSON request bodies dispatch correctly by content type; Executor honors OAS3 encoding and multi-content operations, and lets the caller pick which content type to send.
• Relative OAuth2 URLs resolve against the source's baseUrl.
• Refresh a source by re-fetching its origin URL from the edit page.

Layered scope isolation

Multi-tenant deployments get a proper security primitive. Every read and write now passes through a layered ScopeStack, with the write scope declared explicitly. Plugins have adopted the API; the UI exposes it via CreatableSecretPicker; and WorkOS sources enforce tenant-ownership on every access. Per-scope blob and secret lookups are batched into single IN queries, so the extra check doesn't cost a round-trip.

Natural CLI for tool discovery and invocation

Call tools by path instead of writing TypeScript:

executor call github issues create '{"owner":"octocat","repo":"Hello-World","title":"Hi"}'
executor tools search "send email"
executor tools sources
executor tools describe github.issues.create

executor call <path> --help browses namespaces → resources → methods, with --match <text> --limit <n> to narrow huge namespaces. Errors are normalized for agent consumption, and the resume / help UX is cleaner for non-interactive flows.

Daemon lifecycle

executor daemon run
executor daemon status
executor daemon stop
executor daemon restart

executor call, executor resume, and executor tools … auto-start a local daemon if one isn't running. The daemon pointer is scope-aware, and if the default port is busy the CLI transparently picks an open one — so two projects can run side-by-side without collisions.

executor daemon run now backgrounds by default. Pass --foreground to keep it attached for log inspection.

OpenTelemetry everywhere

Tool dispatch, plugins, storage, schema, and transport are now fully instrumented with OTEL spans, and the runtime is threaded through dispatch so spans actually export in all runtimes.

New presets

• Notion is now a featured MCP preset.

Performance

• buildExecuteDescription no longer calls executor.tools.list, making tool-description generation measurably faster on large workspaces.
• Per-scope blob and secret lookups now use a single IN query instead of N per-scope round-trips.

Fixes

• Upgrade: preserve legacy OAuth connection backfills after the connection.kind column is removed.
• OpenAPI: refreshing or editing sources with legacy inline secret/OAuth config now materializes the new source binding rows instead of dropping credentials.
• Keychain: skip provider registration when the OS backend is unreachable (no more startup failure when running headless on Linux without a keyring).
• Local server: return 404 for missing static assets instead of serving HTML.
• Tests: Windows compatibility across the suite.

Breaking changes

executor call no longer accepts inline code

The old TypeScript-as-argument forms are gone:

executor call '<code>'
executor call --file script.ts
executor call --stdin

Migrate to explicit tool paths:

# before
executor call 'return await tools.github.issues.list({ owner, repo })'
# after
executor call github issues list '{"owner":"octocat","repo":"Hello-World"}'

tools.discover(...) becomes executor tools search "<query>".

sources.add CLI form simplified

Use the dedicated tool:

executor call openapi addSource '{
  "spec": "https://petstore3.swagger.io/api/v3/openapi.json",
  "namespace": "petstore",
  "baseUrl": "https://petstore3.swagger.io/api/v3"
}'

Pass baseUrl when the OpenAPI document has relative servers entries.

SDK: layered scope

Every SDK write now takes an explicit scope. If you have plugins or host code calling the SDK directly, they'll need to adopt the new layered-scope API (see the in-tree plugins for reference — they've all been migrated). This does not affect users of the CLI or web UI.

v1.4.11

Highlights

Per-user OAuth for OpenAPI and MCP sources

OpenAPI and MCP sources now carry first-class Connections — a per-user sign-in state decoupled from the source definition itself.

• Save an OAuth2 OpenAPI or MCP source before signing in; users sign in later from the source page.
• Each connection refreshes independently, with concurrent refreshes deduped across the SDK. When a refresh can't recover, the SDK surfaces an explicit reauth-required signal instead of silently failing.
• The Edit OpenAPI Source page has a new Connections pane showing every user who has signed in and their status. Each source in the sidebar now shows a live connection badge.
• Existing OpenAPI + MCP + google-discovery OAuth rows migrate into Connections automatically on first launch — no user action required.

OpenAPI: client-credentials, non-JSON bodies, source refresh

• Full OAuth2 client-credentials flow end-to-end.
• Non-JSON request bodies dispatch correctly by content type; Executor honors OAS3 encoding and multi-content operations, and lets the caller pick which content type to send.
• Relative OAuth2 URLs resolve against the source's baseUrl.
• Refresh a source by re-fetching its origin URL from the edit page.

Layered scope isolation

Multi-tenant deployments get a proper security primitive. Every read and write now passes through a layered ScopeStack, with the write scope declared explicitly. Plugins have adopted the API; the UI exposes it via CreatableSecretPicker; and WorkOS sources enforce tenant-ownership on every access. Per-scope blob and secret lookups are batched into single IN queries, so the extra check doesn't cost a round-trip.

Natural CLI for tool discovery and invocation

Call tools by path instead of writing TypeScript:

executor call github issues create '{"owner":"octocat","repo":"Hello-World","title":"Hi"}'
executor tools search "send email"
executor tools sources
executor tools describe github.issues.create

executor call <path> --help browses namespaces → resources → methods, with --match <text> --limit <n> to narrow huge namespaces. Errors are normalized for agent consumption, and the resume / help UX is cleaner for non-interactive flows.

Daemon lifecycle

executor daemon run
executor daemon status
executor daemon stop
executor daemon restart

executor call, executor resume, and executor tools … auto-start a local daemon if one isn't running. The daemon pointer is scope-aware, and if the default port is busy the CLI transparently picks an open one — so two projects can run side-by-side without collisions.

executor daemon run now backgrounds by default. Pass --foreground to keep it attached for log inspection.

OpenTelemetry everywhere

Tool dispatch, plugins, storage, schema, and transport are now fully instrumented with OTEL spans, and the runtime is threaded through dispatch so spans actually export in all runtimes.

New presets

• Notion is now a featured MCP preset.

Performance

• buildExecuteDescription no longer calls executor.tools.list, making tool-description generation measurably faster on large workspaces.
• Per-scope blob and secret lookups now use a single IN query instead of N per-scope round-trips.

Fixes

• Upgrade: preserve legacy OAuth connection backfills after the connection.kind column is removed.
• OpenAPI: refreshing or editing sources with legacy inline secret/OAuth config now materializes the new source binding rows instead of dropping credentials.
• Keychain: skip provider registration when the OS backend is unreachable (no more startup failure when running headless on Linux without a keyring).
• Local server: return 404 for missing static assets instead of serving HTML.
• Tests: Windows compatibility across the suite.

Breaking changes

executor call no longer accepts inline code

The old TypeScript-as-argument forms are gone:

executor call '<code>'
executor call --file script.ts
executor call --stdin

Migrate to explicit tool paths:

# before
executor call 'return await tools.github.issues.list({ owner, repo })'
# after
executor call github issues list '{"owner":"octocat","repo":"Hello-World"}'

tools.discover(...) becomes executor tools search "<query>".

sources.add CLI form simplified

Use the dedicated tool:

executor call openapi addSource '{
  "spec": "https://petstore3.swagger.io/api/v3/openapi.json",
  "namespace": "petstore",
  "baseUrl": "https://petstore3.swagger.io/api/v3"
}'

Pass baseUrl when the OpenAPI document has relative servers entries.

SDK: layered scope

Every SDK write now takes an explicit scope. If you have plugins or host code calling the SDK directly, they'll need to adopt the new layered-scope API (see the in-tree plugins for reference — they've all been migrated). This does not affect users of the CLI or web UI.

v1.4.10

Highlights

Per-user OAuth for OpenAPI and MCP sources

OpenAPI and MCP sources now carry first-class Connections — a per-user sign-in state decoupled from the source definition itself.

• Save an OAuth2 OpenAPI or MCP source before signing in; users sign in later from the source page.
• Each connection refreshes independently, with concurrent refreshes deduped across the SDK. When a refresh can't recover, the SDK surfaces an explicit reauth-required signal instead of silently failing.
• The Edit OpenAPI Source page has a new Connections pane showing every user who has signed in and their status. Each source in the sidebar now shows a live connection badge.
• Existing OpenAPI + MCP + google-discovery OAuth rows migrate into Connections automatically on first launch — no user action required.

OpenAPI: client-credentials, non-JSON bodies, source refresh

• Full OAuth2 client-credentials flow end-to-end.
• Non-JSON request bodies dispatch correctly by content type; Executor honors OAS3 encoding and multi-content operations, and lets the caller pick which content type to send.
• Relative OAuth2 URLs resolve against the source's baseUrl.
• Refresh a source by re-fetching its origin URL from the edit page.

Layered scope isolation

Multi-tenant deployments get a proper security primitive. Every read and write now passes through a layered ScopeStack, with the write scope declared explicitly. Plugins have adopted the API; the UI exposes it via CreatableSecretPicker; and WorkOS sources enforce tenant-ownership on every access. Per-scope blob and secret lookups are batched into single IN queries, so the extra check doesn't cost a round-trip.

Natural CLI for tool discovery and invocation

Call tools by path instead of writing TypeScript:

executor call github issues create '{"owner":"octocat","repo":"Hello-World","title":"Hi"}'
executor tools search "send email"
executor tools sources
executor tools describe github.issues.create

executor call <path> --help browses namespaces → resources → methods, with --match <text> --limit <n> to narrow huge namespaces. Errors are normalized for agent consumption, and the resume / help UX is cleaner for non-interactive flows.

Daemon lifecycle

executor daemon run
executor daemon status
executor daemon stop
executor daemon restart

executor call, executor resume, and executor tools … auto-start a local daemon if one isn't running. The daemon pointer is scope-aware, and if the default port is busy the CLI transparently picks an open one — so two projects can run side-by-side without collisions.

executor daemon run now backgrounds by default. Pass --foreground to keep it attached for log inspection.

OpenTelemetry everywhere

Tool dispatch, plugins, storage, schema, and transport are now fully instrumented with OTEL spans, and the runtime is threaded through dispatch so spans actually export in all runtimes.

New presets

• Notion is now a featured MCP preset.

Performance

• buildExecuteDescription no longer calls executor.tools.list, making tool-description generation measurably faster on large workspaces.
• Per-scope blob and secret lookups now use a single IN query instead of N per-scope round-trips.

Fixes

• Upgrade: preserve legacy OAuth connection backfills after the connection.kind column is removed.
• OpenAPI: refreshing or editing sources with legacy inline secret/OAuth config now materializes the new source binding rows instead of dropping credentials.
• Keychain: skip provider registration when the OS backend is unreachable (no more startup failure when running headless on Linux without a keyring).
• Local server: return 404 for missing static assets instead of serving HTML.
• Tests: Windows compatibility across the suite.

Breaking changes

executor call no longer accepts inline code

The old TypeScript-as-argument forms are gone:

executor call '<code>'
executor call --file script.ts
executor call --stdin

Migrate to explicit tool paths:

# before
executor call 'return await tools.github.issues.list({ owner, repo })'
# after
executor call github issues list '{"owner":"octocat","repo":"Hello-World"}'

tools.discover(...) becomes executor tools search "<query>".

sources.add CLI form simplified

Use the dedicated tool:

executor call openapi addSource '{
  "spec": "https://petstore3.swagger.io/api/v3/openapi.json",
  "namespace": "petstore",
  "baseUrl": "https://petstore3.swagger.io/api/v3"
}'

Pass baseUrl when the OpenAPI document has relative servers entries.

SDK: layered scope

Every SDK write now takes an explicit scope. If you have plugins or host code calling the SDK directly, they'll need to adopt the new layered-scope API (see the in-tree plugins for reference — they've all been migrated). This does not affect users of the CLI or web UI.

v1.4.9

Highlights

Per-user OAuth for OpenAPI and MCP sources

OpenAPI and MCP sources now carry first-class Connections — a per-user sign-in state decoupled from the source definition itself.

• Save an OAuth2 OpenAPI or MCP source before signing in; users sign in later from the source page.
• Each connection refreshes independently, with concurrent refreshes deduped across the SDK. When a refresh can't recover, the SDK surfaces an explicit reauth-required signal instead of silently failing.
• The Edit OpenAPI Source page has a new Connections pane showing every user who has signed in and their status. Each source in the sidebar now shows a live connection badge.
• Existing OpenAPI + MCP + google-discovery OAuth rows migrate into Connections automatically on first launch — no user action required.

OpenAPI: client-credentials, non-JSON bodies, source refresh

• Full OAuth2 client-credentials flow end-to-end.
• Non-JSON request bodies dispatch correctly by content type; Executor honors OAS3 encoding and multi-content operations, and lets the caller pick which content type to send.
• Relative OAuth2 URLs resolve against the source's baseUrl.
• Refresh a source by re-fetching its origin URL from the edit page.

Layered scope isolation

Multi-tenant deployments get a proper security primitive. Every read and write now passes through a layered ScopeStack, with the write scope declared explicitly. Plugins have adopted the API; the UI exposes it via CreatableSecretPicker; and WorkOS sources enforce tenant-ownership on every access. Per-scope blob and secret lookups are batched into single IN queries, so the extra check doesn't cost a round-trip.

Natural CLI for tool discovery and invocation

Call tools by path instead of writing TypeScript:

executor call github issues create '{"owner":"octocat","repo":"Hello-World","title":"Hi"}'
executor tools search "send email"
executor tools sources
executor tools describe github.issues.create

executor call <path> --help browses namespaces → resources → methods, with --match <text> --limit <n> to narrow huge namespaces. Errors are normalized for agent consumption, and the resume / help UX is cleaner for non-interactive flows.

Daemon lifecycle

executor daemon run
executor daemon status
executor daemon stop
executor daemon restart

executor call, executor resume, and executor tools … auto-start a local daemon if one isn't running. The daemon pointer is scope-aware, and if the default port is busy the CLI transparently picks an open one — so two projects can run side-by-side without collisions.

OpenTelemetry everywhere

Tool dispatch, plugins, storage, schema, and transport are now fully instrumented with OTEL spans, and the runtime is threaded through dispatch so spans actually export in all runtimes.

New presets

• Notion is now a featured MCP preset.

Performance

• buildExecuteDescription no longer calls executor.tools.list, making tool-description generation measurably faster on large workspaces.
• Per-scope blob and secret lookups now use a single IN query instead of N per-scope round-trips.

Fixes

• Upgrade: preserve legacy OAuth connection backfills after the connection.kind column is removed.
• OpenAPI: refreshing or editing sources with legacy inline secret/OAuth config now materializes the new source binding rows instead of dropping credentials.
• Keychain: skip provider registration when the OS backend is unreachable (no more startup failure when running headless on Linux without a keyring).
• Local server: return 404 for missing static assets instead of serving HTML.
• Tests: Windows compatibility across the suite.

Breaking changes

executor call no longer accepts inline code

The old TypeScript-as-argument forms are gone:

executor call '<code>'
executor call --file script.ts
executor call --stdin

Migrate to explicit tool paths:

# before
executor call 'return await tools.github.issues.list({ owner, repo })'
# after
executor call github issues list '{"owner":"octocat","repo":"Hello-World"}'

tools.discover(...) becomes executor tools search "<query>".

sources.add CLI form simplified

Use the dedicated tool:

executor call openapi addSource '{
  "spec": "https://petstore3.swagger.io/api/v3/openapi.json",
  "namespace": "petstore",
  "baseUrl": "https://petstore3.swagger.io/api/v3"
}'

Pass baseUrl when the OpenAPI document has relative servers entries.

SDK: layered scope

Every SDK write now takes an explicit scope. If you have plugins or host code calling the SDK directly, they'll need to adopt the new layered-scope API (see the in-tree plugins for reference — they've all been migrated). This does not affect users of the CLI or web UI.

v1.4.8

Highlights

Per-user OAuth for OpenAPI and MCP sources

OpenAPI and MCP sources now carry first-class Connections — a per-user sign-in state decoupled from the source definition itself.

• Save an OAuth2 OpenAPI or MCP source before signing in; users sign in later from the source page.
• Each connection refreshes independently, with concurrent refreshes deduped across the SDK. When a refresh can't recover, the SDK surfaces an explicit reauth-required signal instead of silently failing.
• The Edit OpenAPI Source page has a new Connections pane showing every user who has signed in and their status. Each source in the sidebar now shows a live connection badge.
• Existing OpenAPI + MCP + google-discovery OAuth rows migrate into Connections automatically on first launch — no user action required.

OpenAPI: client-credentials, non-JSON bodies, source refresh

• Full OAuth2 client-credentials flow end-to-end.
• Non-JSON request bodies dispatch correctly by content type; Executor honors OAS3 encoding and multi-content operations, and lets the caller pick which content type to send.
• Relative OAuth2 URLs resolve against the source's baseUrl.
• Refresh a source by re-fetching its origin URL from the edit page.

Layered scope isolation

Multi-tenant deployments get a proper security primitive. Every read and write now passes through a layered ScopeStack, with the write scope declared explicitly. Plugins have adopted the API; the UI exposes it via CreatableSecretPicker; and WorkOS sources enforce tenant-ownership on every access. Per-scope blob and secret lookups are batched into single IN queries, so the extra check doesn't cost a round-trip.

Natural CLI for tool discovery and invocation

Call tools by path instead of writing TypeScript:

executor call github issues create '{"owner":"octocat","repo":"Hello-World","title":"Hi"}'
executor tools search "send email"
executor tools sources
executor tools describe github.issues.create

executor call <path> --help browses namespaces → resources → methods, with --match <text> --limit <n> to narrow huge namespaces. Errors are normalized for agent consumption, and the resume / help UX is cleaner for non-interactive flows.

Daemon lifecycle

executor daemon run
executor daemon status
executor daemon stop
executor daemon restart

executor call, executor resume, and executor tools … auto-start a local daemon if one isn't running. The daemon pointer is scope-aware, and if the default port is busy the CLI transparently picks an open one — so two projects can run side-by-side without collisions.

OpenTelemetry everywhere

Tool dispatch, plugins, storage, schema, and transport are now fully instrumented with OTEL spans, and the runtime is threaded through dispatch so spans actually export in all runtimes.

New presets

• Notion is now a featured MCP preset.

Performance

• buildExecuteDescription no longer calls executor.tools.list, making tool-description generation measurably faster on large workspaces.
• Per-scope blob and secret lookups now use a single IN query instead of N per-scope round-trips.

Fixes

• Keychain: skip provider registration when the OS backend is unreachable (no more startup failure when running headless on Linux without a keyring).
• Local server: return 404 for missing static assets instead of serving HTML.
• Tests: Windows compatibility across the suite.

Breaking changes

executor call no longer accepts inline code

The old TypeScript-as-argument forms are gone:

executor call '<code>'
executor call --file script.ts
executor call --stdin

Migrate to explicit tool paths:

# before
executor call 'return await tools.github.issues.list({ owner, repo })'
# after
executor call github issues list '{"owner":"octocat","repo":"Hello-World"}'

tools.discover(...) becomes executor tools search "<query>".

sources.add CLI form simplified

Use the dedicated tool:

executor call openapi addSource '{
  "spec": "https://petstore3.swagger.io/api/v3/openapi.json",
  "namespace": "petstore",
  "baseUrl": "https://petstore3.swagger.io/api/v3"
}'

Pass baseUrl when the OpenAPI document has relative servers entries.

SDK: layered scope

Every SDK write now takes an explicit scope. If you have plugins or host code calling the SDK directly, they'll need to adopt the new layered-scope API (see the in-tree plugins for reference — they've all been migrated). This does not affect users of the CLI or web UI.

v1.4.7

What's Changed

• [codex] simplify cloud org switching by @RhysSullivan in #233
• [codex] Allow underscores while editing source namespaces by @heyglassy in #231
• [codex] Right-align inline secret creation actions by @heyglassy in #232
• Rework cloud org flow: onboarding page + live membership check by @RhysSullivan in #234
• Track MCP tool executions in Autumn billing by @RhysSullivan in #237
• Replace loading text with skeletons in cloud shell by @RhysSullivan in #239
• Disable MCP stdio transport by default by @RhysSullivan in #238
• Remove google-discovery plugin from cloud app by @RhysSullivan in #240
• Support OpenAPI server variables during onboarding by @RhysSullivan in #246
• [codex] Refactor dynamic worker error transport with Effect causes by @heyglassy in #244
• Extract @executor/plugin-oauth2 shared helpers by @RhysSullivan in #247
• Add OAuth popup UI utilities to @executor/plugin-oauth2 by @RhysSullivan in #248
• Add storeOAuthTokens + withRefreshedAccessToken refresh wrapper by @RhysSullivan in #249
• Extract OAuth2 flows from OpenAPI security schemes by @RhysSullivan in #250
• OpenAPI OAuth2 authorization-code onboarding backend by @RhysSullivan in #251
• OpenAPI OAuth2 onboarding UI by @RhysSullivan in #252
• chore: fix data storage by @RhysSullivan in #262
• Allow "Remote"-ing to Executor Web Dashboard by @therealsamyak in #261
• Fix OpenAI and Sentry icons in popular OpenAPI presets by @mrzmyr in #267
• feat: improve mcp install card layout by @mrzmyr in #269
• fix(openapi): use Workers-native fetch for spec URLs by @RhysSullivan in #270
• fix(storage): require createMany on CustomAdapter; drizzle issues chunked bulk INSERT by @RhysSullivan in #275
• perf(secrets): parallelize provider fan-out and header resolution by @RhysSullivan in #276
• fix(cloud): forward /api/sentry-tunnel to Sentry ingest by @RhysSullivan in #277
• test(cloud): exercise addSpec on the full Cloudflare spec through real postgres by @RhysSullivan in #278
• Declarative reactivity keys + optimistic source add by @RhysSullivan in #279
• cloud: wire Effect spans to Axiom via otel-cf-workers by @RhysSullivan in #280
• Polish secret creation UX in header-auth flow by @RhysSullivan in #283
• feat(release): publish execution, cli, and kernel packages to npm by @RhysSullivan in #284
• cloud: share executor stack between HTTP and MCP DO; wire DO telemetry by @RhysSullivan in #281
• Sort source list by name to stop optimistic-add jump by @RhysSullivan in #285
• feat(sdk): typed errors propagate to one edge mapping (StorageError, InternalError, Telemetry) by @RhysSullivan in #282
• execution: add Effect.fn spans for tool-call + code-exec boundaries by @RhysSullivan in #287
• cloud: /mcp on Effect HttpApp + full e2e coverage (workerd pool + real-port Miniflare + elicitation) by @RhysSullivan in #289
• cloud: restore McpSessionDO init/handleRequest span coverage + real-flow telemetry test by @RhysSullivan in #290
• cloud: fix DO telemetry export + rebuild env as lazy Proxy by @RhysSullivan in #291
• cloud: surface JSON-RPC protocol errors on mcp.request span by @RhysSullivan in #293
• ci(pkg-pr-new): skip preview binary build for fork PRs by @mrzmyr in #292
• cloud: expand MCP observability + flip engine to Effect-native by @RhysSullivan in #318
• fix(cloud): propagate OTEL trace context across worker→DO boundary by @RhysSullivan in #320
• Add graphite skill by @matiacone in #319
• Version Packages by @github-actions[bot] in #321

New Contributors

• @heyglassy made their first contribution in #231
• @therealsamyak made their first contribution in #261
• @matiacone made their first contribution in #319

Full Changelog: v1.4.6...v1.4.7

v1.4.7-beta.0

What's Changed

• [codex] simplify cloud org switching by @RhysSullivan in #233
• [codex] Allow underscores while editing source namespaces by @heyglassy in #231
• [codex] Right-align inline secret creation actions by @heyglassy in #232
• Rework cloud org flow: onboarding page + live membership check by @RhysSullivan in #234
• Track MCP tool executions in Autumn billing by @RhysSullivan in #237
• Replace loading text with skeletons in cloud shell by @RhysSullivan in #239
• Disable MCP stdio transport by default by @RhysSullivan in #238
• Remove google-discovery plugin from cloud app by @RhysSullivan in #240
• Support OpenAPI server variables during onboarding by @RhysSullivan in #246
• [codex] Refactor dynamic worker error transport with Effect causes by @heyglassy in #244
• Extract @executor/plugin-oauth2 shared helpers by @RhysSullivan in #247
• Add OAuth popup UI utilities to @executor/plugin-oauth2 by @RhysSullivan in #248
• Add storeOAuthTokens + withRefreshedAccessToken refresh wrapper by @RhysSullivan in #249
• Extract OAuth2 flows from OpenAPI security schemes by @RhysSullivan in #250
• OpenAPI OAuth2 authorization-code onboarding backend by @RhysSullivan in #251
• OpenAPI OAuth2 onboarding UI by @RhysSullivan in #252
• chore: fix data storage by @RhysSullivan in #262
• Allow "Remote"-ing to Executor Web Dashboard by @therealsamyak in #261
• Fix OpenAI and Sentry icons in popular OpenAPI presets by @mrzmyr in #267
• feat: improve mcp install card layout by @mrzmyr in #269
• fix(openapi): use Workers-native fetch for spec URLs by @RhysSullivan in #270
• fix(storage): require createMany on CustomAdapter; drizzle issues chunked bulk INSERT by @RhysSullivan in #275
• perf(secrets): parallelize provider fan-out and header resolution by @RhysSullivan in #276
• fix(cloud): forward /api/sentry-tunnel to Sentry ingest by @RhysSullivan in #277
• test(cloud): exercise addSpec on the full Cloudflare spec through real postgres by @RhysSullivan in #278
• Declarative reactivity keys + optimistic source add by @RhysSullivan in #279
• cloud: wire Effect spans to Axiom via otel-cf-workers by @RhysSullivan in #280
• Polish secret creation UX in header-auth flow by @RhysSullivan in #283
• feat(release): publish execution, cli, and kernel packages to npm by @RhysSullivan in #284
• cloud: share executor stack between HTTP and MCP DO; wire DO telemetry by @RhysSullivan in #281
• Sort source list by name to stop optimistic-add jump by @RhysSullivan in #285
• feat(sdk): typed errors propagate to one edge mapping (StorageError, InternalError, Telemetry) by @RhysSullivan in #282
• execution: add Effect.fn spans for tool-call + code-exec boundaries by @RhysSullivan in #287
• cloud: /mcp on Effect HttpApp + full e2e coverage (workerd pool + real-port Miniflare + elicitation) by @RhysSullivan in #289
• cloud: restore McpSessionDO init/handleRequest span coverage + real-flow telemetry test by @RhysSullivan in #290
• cloud: fix DO telemetry export + rebuild env as lazy Proxy by @RhysSullivan in #291
• cloud: surface JSON-RPC protocol errors on mcp.request span by @RhysSullivan in #293
• ci(pkg-pr-new): skip preview binary build for fork PRs by @mrzmyr in #292
• cloud: expand MCP observability + flip engine to Effect-native by @RhysSullivan in #318

New Contributors

• @heyglassy made their first contribution in #231
• @therealsamyak made their first contribution in #261

Full Changelog: v1.4.6...v1.4.7-beta.0