Revert 2.0.0 release and re-release as 1.5.23 patch

.changeset/cimd-org-redirect-uri.md

@@ -0,0 +1,12 @@
+---
+"@executor-js/api": patch
+---
+
+Fix OAuth "Mismatching redirect URI" for org-scoped client-id metadata documents
+
+Org-scoped client-id metadata documents registered their callback as
+`redirect_uri` with an `executor_org` query param, but the client always sends
+the bare callback and the org is carried in the OAuth `state`. Providers that
+compare `redirect_uri` as an exact string (such as PostHog) rejected the
+authorize request. Org targets now keep their distinct `client_id` URL but
+register the same bare callback `redirect_uri` as every other target.

.changeset/desktop-background-service-consent-seam.md

@@ -0,0 +1,5 @@
+---
+"executor": patch
+---
+
+Add a test seam to skip the first-run "keep Executor running in the background?" consent dialog under automation, matching the existing `confirmResetState` seam. Set `EXECUTOR_TEST_AUTO_CONFIRM_BACKGROUND_SERVICE=1` to keep the background service or any other value to decline. When the variable is unset the dialog is shown exactly as before. Native dialogs cannot be answered from CDP or Playwright, so a packaged first-run boot under automation previously blocked at this prompt with no way to proceed.

.changeset/desktop-sidecar-auth-token-dash.md

@@ -0,0 +1,5 @@
+---
+"executor": patch
+---
+
+Fix the desktop app failing to start its local server when the generated auth token begins with a dash. The token is `randomBytes(32).toString("base64url")`, which can start with "-", and the packaged app passed it to the bundled CLI as a separate argument (`--auth-token`, then the token). The CLI then read the leading-dash token as an unknown flag, printed its help, and exited, so the desktop showed a fatal "local Executor server crashed during startup" dialog. This was persistent (the token is saved) and cross-platform, affecting roughly 1 in 64 fresh installs. The token is now passed in the combined `--auth-token=<value>` form so a leading dash is treated as the value.

.changeset/graphql-valid-selections.md

@@ -0,0 +1,9 @@
+---
+"@executor-js/plugin-graphql": patch
+---
+
+Fix the GraphQL plugin generating invalid operations against large schemas, and make field selection caller-controlled instead of a baked-in guess.
+
+Previously each tool froze a recursive, depth- and count-bounded selection at sync time. Against a rich schema (GitLab) this produced invalid GraphQL (composite fields with no sub-selection, nested fields missing required arguments) so every call over a rich return type failed, and the arbitrary bound silently truncated which fields came back.
+
+Generated tools now default to selecting only scalar/enum leaf fields of the return type (always valid, always within a server's query-complexity budget), and expose an optional `select` input carrying a GraphQL selection set so a caller can request nested or list data per call (including supplying nested required arguments). Fixes #1146.

.changeset/update-available-notifications.md

@@ -0,0 +1,8 @@
+---
+"executor": patch
+"@executor-js/desktop": patch
+"@executor-js/api": patch
+"@executor-js/react": patch
+---
+
+Notify when a newer Executor is published. The CLI now prints an "update available" line under its ready banner, and the web shell's sidebar update card works for real (a new `/v1/app/npm/dist-tags` endpoint backs it). In the desktop app the card shows a native "Restart to update" action wired to the in-app updater instead of the npm command. The check is best-effort and offline-safe, and can be disabled with `EXECUTOR_DISABLE_UPDATE_CHECK`.

apps/cli/CHANGELOG.md

@@ -1,23 +1,5 @@
 # executor
 
-## 2.0.0
-
-### Minor Changes
-
-- [#1182](https://github.com/RhysSullivan/executor/pull/1182) [`b6c8968`](https://github.com/RhysSullivan/executor/commit/b6c8968c2a3dd3cf8d8b2fa5ecdbd2a1f9cad4f2) Thanks [@RhysSullivan](https://github.com/RhysSullivan)! - Notify when a newer Executor is published. The CLI now prints an "update available" line under its ready banner, and the web shell's sidebar update card works for real (a new `/v1/app/npm/dist-tags` endpoint backs it). In the desktop app the card shows a native "Restart to update" action wired to the in-app updater instead of the npm command. The check is best-effort and offline-safe, and can be disabled with `EXECUTOR_DISABLE_UPDATE_CHECK`.
-
-### Patch Changes
-
-- [#1170](https://github.com/RhysSullivan/executor/pull/1170) [`0de0106`](https://github.com/RhysSullivan/executor/commit/0de0106771aa8997db72f0ce3a619ac4920ccfcd) Thanks [@RhysSullivan](https://github.com/RhysSullivan)! - Add a test seam to skip the first-run "keep Executor running in the background?" consent dialog under automation, matching the existing `confirmResetState` seam. Set `EXECUTOR_TEST_AUTO_CONFIRM_BACKGROUND_SERVICE=1` to keep the background service or any other value to decline. When the variable is unset the dialog is shown exactly as before. Native dialogs cannot be answered from CDP or Playwright, so a packaged first-run boot under automation previously blocked at this prompt with no way to proceed.
-
-- [#1169](https://github.com/RhysSullivan/executor/pull/1169) [`94647f1`](https://github.com/RhysSullivan/executor/commit/94647f1fc33e57d2eb159f929f95d9e9f6ad60cd) Thanks [@RhysSullivan](https://github.com/RhysSullivan)! - Fix the desktop app failing to start its local server when the generated auth token begins with a dash. The token is `randomBytes(32).toString("base64url")`, which can start with "-", and the packaged app passed it to the bundled CLI as a separate argument (`--auth-token`, then the token). The CLI then read the leading-dash token as an unknown flag, printed its help, and exited, so the desktop showed a fatal "local Executor server crashed during startup" dialog. This was persistent (the token is saved) and cross-platform, affecting roughly 1 in 64 fresh installs. The token is now passed in the combined `--auth-token=<value>` form so a leading dash is treated as the value.
-
-- Updated dependencies [[`fd29abe`](https://github.com/RhysSullivan/executor/commit/fd29abe23a329e8e8c50ce185bfc23f58a5348d0), [`b6c8968`](https://github.com/RhysSullivan/executor/commit/b6c8968c2a3dd3cf8d8b2fa5ecdbd2a1f9cad4f2)]:
-  - @executor-js/api@1.5.0
-  - @executor-js/local@1.4.4
-  - @executor-js/sdk@2.0.0
-  - @executor-js/runtime-quickjs@2.0.0
-
 ## 1.5.22
 
 ### Patch Changes

apps/cli/package.json

@@ -1,6 +1,6 @@
 {
   "name": "executor",
-  "version": "2.0.0",
+  "version": "1.5.22",
   "private": true,
   "bin": {
     "executor": "./bin/executor.ts"

apps/cloud/CHANGELOG.md

@@ -1,27 +1,5 @@
 # @executor-js/cloud
 
-## 1.4.41
-
-### Patch Changes
-
-- Updated dependencies [[`fd29abe`](https://github.com/RhysSullivan/executor/commit/fd29abe23a329e8e8c50ce185bfc23f58a5348d0), [`cc94666`](https://github.com/RhysSullivan/executor/commit/cc94666fa6adf5a0c7ceb667b3797334020327b1), [`b6c8968`](https://github.com/RhysSullivan/executor/commit/b6c8968c2a3dd3cf8d8b2fa5ecdbd2a1f9cad4f2)]:
-  - @executor-js/api@1.5.0
-  - @executor-js/plugin-graphql@2.0.0
-  - @executor-js/react@1.5.0
-  - @executor-js/cloudflare@0.0.22
-  - @executor-js/plugin-google@2.0.0
-  - @executor-js/plugin-mcp@2.0.0
-  - @executor-js/plugin-microsoft@2.0.0
-  - @executor-js/plugin-openapi@2.0.0
-  - @executor-js/plugin-toolkits@2.0.0
-  - @executor-js/plugin-workos-vault@0.0.2
-  - @executor-js/runtime-dynamic-worker@1.4.4
-  - @executor-js/sdk@2.0.0
-  - @executor-js/runtime-quickjs@2.0.0
-  - @executor-js/execution@2.0.0
-  - @executor-js/vite-plugin@0.0.40
-  - @executor-js/host-mcp@1.4.4
-
 ## 1.4.40
 
 ### Patch Changes

apps/cloud/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@executor-js/cloud",
-  "version": "1.4.41",
+  "version": "1.4.40",
   "private": true,
   "type": "module",
   "scripts": {

apps/desktop/CHANGELOG.md

@@ -1,11 +1,5 @@
 # @executor-js/desktop
 
-## 2.0.0
-
-### Minor Changes
-
-- [#1182](https://github.com/RhysSullivan/executor/pull/1182) [`b6c8968`](https://github.com/RhysSullivan/executor/commit/b6c8968c2a3dd3cf8d8b2fa5ecdbd2a1f9cad4f2) Thanks [@RhysSullivan](https://github.com/RhysSullivan)! - Notify when a newer Executor is published. The CLI now prints an "update available" line under its ready banner, and the web shell's sidebar update card works for real (a new `/v1/app/npm/dist-tags` endpoint backs it). In the desktop app the card shows a native "Restart to update" action wired to the in-app updater instead of the npm command. The check is best-effort and offline-safe, and can be disabled with `EXECUTOR_DISABLE_UPDATE_CHECK`.
-
 ## 1.5.22
 
 ## 1.5.21

apps/desktop/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@executor-js/desktop",
-  "version": "2.0.0",
+  "version": "1.5.22",
   "private": true,
   "homepage": "https://github.com/RhysSullivan/executor",
   "license": "MIT",

apps/host-selfhost/CHANGELOG.md

@@ -1,25 +1,5 @@
 # @executor-js/host-selfhost
 
-## 0.0.22
-
-### Patch Changes
-
-- Updated dependencies [[`fd29abe`](https://github.com/RhysSullivan/executor/commit/fd29abe23a329e8e8c50ce185bfc23f58a5348d0), [`cc94666`](https://github.com/RhysSullivan/executor/commit/cc94666fa6adf5a0c7ceb667b3797334020327b1), [`b6c8968`](https://github.com/RhysSullivan/executor/commit/b6c8968c2a3dd3cf8d8b2fa5ecdbd2a1f9cad4f2)]:
-  - @executor-js/api@1.5.0
-  - @executor-js/plugin-graphql@2.0.0
-  - @executor-js/react@1.5.0
-  - @executor-js/plugin-google@2.0.0
-  - @executor-js/plugin-mcp@2.0.0
-  - @executor-js/plugin-microsoft@2.0.0
-  - @executor-js/plugin-openapi@2.0.0
-  - @executor-js/plugin-toolkits@2.0.0
-  - @executor-js/app@1.4.4
-  - @executor-js/sdk@2.0.0
-  - @executor-js/runtime-quickjs@2.0.0
-  - @executor-js/execution@2.0.0
-  - @executor-js/host-mcp@1.4.4
-  - @executor-js/plugin-encrypted-secrets@0.0.22
-
 ## 0.0.21
 
 ### Patch Changes

apps/host-selfhost/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@executor-js/host-selfhost",
-  "version": "0.0.22",
+  "version": "0.0.21",
   "private": true,
   "type": "module",
   "exports": {