[1c] MCP entrypoint + identity resolution

[andrmaz]

What to build

Stand up the /mcp entrypoint. Authenticated MCP calls are accepted, the token is validated, and the request is enriched with resolved org + department identity context. Unauthorized or invalid tokens are rejected with structured error responses. At this stage the response is an identity-scoped stub (no retrieval yet) — this slice proves MCP-first integration and auth plumbing end-to-end.

Acceptance criteria

• An authenticated MCP client can call /mcp and receive a valid stub response.
• The response payload includes resolved organization and department scope.
• Requests with missing, invalid, or expired tokens are rejected with a clear error.
• Integration test covers the authenticated happy path and the rejection path.

Blocked by

• [1b] Google OAuth sign-in + JWT session #4 [1b] Google OAuth sign-in + JWT session

[andrmaz]

@cursoragent Start working on this

[cursor]

Here's a summary of everything implemented:

IdentityService (apps/api/src/mcp/identity.service.ts) — new service that resolves org + department scope for a request. It reads organizationId from the JWT claim and looks up the user's Primary Department from the UserDepartment join table, returning null if none is configured.

MCPController — protected with JwtAuthGuard. Unauthenticated requests never reach the handler. The controller extracts the validated user from req.user, delegates to IdentityService, and returns a response that now includes scope: { organizationId, departmentId }.

MCPModule — updated to import AuthModule (which provides the JWT strategy) and PrismaModule, and to provide IdentityService.

Tests — 59 tests across 7 suites, all passing:

• Unit tests for the auth-aware controller (mocked IdentityService)
• Module compilation tests (updated for new imports/providers)
• Integration tests via supertest covering the full HTTP flow:
  • Authenticated happy path → 201 with resolved organizationId + departmentId
  • Null departmentId when no primary department exists
  • Five rejection scenarios (missing header, invalid token, wrong secret, expired token, malformed header) → all 401