chore(mcp): add express deps for SDK auth router migration

[kunickiaj]

Description

Adds Express and Express type dependencies required for the upcoming @modelcontextprotocol/sdk mcpAuthRouter migration. Also aligns repo-owned @types/node pins with the already-decided runtime floor (engines.node >=24) so TypeScript does not validate published packages against Node 25-only APIs.

Type of Change

• 🚀 Feature (new functionality)
• 🐛 Bug fix (fixes an issue)
• 📚 Documentation (docs-only change)
• 🔧 Maintenance (refactor, chore, CI, etc.)
• 🧪 Testing (test-only changes)

Testing

• Relevant checks pass locally (pnpm run tsc, pnpm run lint, pnpm run test)
• Added/updated tests for changes
• Manually verified changes work as expected

Checklist

• Code follows project style (pnpm run lint passes for touched files)
• Self-review completed
• Documentation updated (if needed)
• No new warnings introduced

[kunickiaj]

• feat(mcp): polish OAuth metadata and refresh audits #1144
• feat(mcp): rotate refresh tokens for SDK auth #1143
• feat(mcp): mount SDK auth router on Express #1142
• feat(mcp): add SDK OAuth provider adapter #1141
• chore(mcp): add express deps for SDK auth router migration #1140 👈 (View in Graphite)
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[chatgpt-codex-connector]

💡 Codex Review

codemem/docs/plans/2026-05-22-mcp-multitenant-phase-3-design.md

Line 83 in 490d958

- `read_write` — principal may read and may write through `memory_remember` and observer ingestion paths into this scope.

Clarify read_write scope to exclude observer ingestion

The role definition says read_write permits writes through both memory_remember and observer ingestion, but the later write-enforcement table says observer ingestion by remote principals is out of scope and owner-only. This contradiction can lead Phase 3 implementers to grant or test an authorization path that the same doc forbids, creating avoidable security and behavior drift across implementations; the role text should match the enforcement section explicitly.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[kunickiaj]

Merge activity

• May 24, 1:33 AM UTC: A user started a stack merge that includes this pull request via Graphite.
• May 24, 1:33 AM UTC: @kunickiaj merged this pull request with Graphite.