docs: update .env.example and HIPAA requirements to include Sinch backend configuration; enhance MCP integration guide with transport options and file handling best practices

Author: DMontgomery40

.env.example

@@ -6,7 +6,7 @@ FAX_DISABLED=false
 API_KEY=your_secure_api_key_here
 
 # Backend Selection - Choose ONE
-# Options: "sip" (self-hosted) or "phaxio" (cloud)
+# Options: "sip" (self-hosted), "phaxio" (cloud fetch), or "sinch" (cloud direct upload)
 FAX_BACKEND=sip
 
 # === PHAXIO CLOUD BACKEND ===
@@ -21,6 +21,15 @@ PHAXIO_CALLBACK_URL=http://localhost:8080/phaxio-callback
 PHAXIO_VERIFY_SIGNATURE=true
 ENFORCE_PUBLIC_HTTPS=false
 
+# === SINCH FAX API v3 (Phaxio by Sinch) ===
+# Only needed if FAX_BACKEND=sinch
+# If left blank, SINCH_API_* fall back to PHAXIO_* values.
+SINCH_PROJECT_ID=your_sinch_project_id
+SINCH_API_KEY=
+SINCH_API_SECRET=
+# Optional region override (defaults to https://fax.api.sinch.com/v3)
+# SINCH_BASE_URL=https://us.fax.api.sinch.com/v3
+
 # === SIP/ASTERISK BACKEND ===
 # Only needed if FAX_BACKEND=sip
 ASTERISK_AMI_HOST=asterisk

HIPAA_REQUIREMENTS.md

@@ -92,13 +92,22 @@ Implement the following as minimum controls:
   - Rotate credentials periodically. Log and alert on failed auth.
 
 ## MCP (AI Assistant) Considerations
-- MCP transmits base64 file content for the `send_fax` tool. Treat the MCP server with the same controls as the API (auth, network restrictions, audit logging).
-- Do not send PHI to LLMs or external services unless you have a signed BAA and an approved use case.
-- All MCP servers must require authentication:
+- Stdio vs HTTP/SSE transports
+  - Stdio (local): connects tools directly to desktop assistants without a network server. Convenient for individuals. Not generally used for provider‑side HIPAA workflows.
+  - HTTP/SSE (server): network transports that can be authenticated (API key, OAuth2/JWT) and deployed under your security program. Use SSE+OAuth for provider‑side HIPAA workflows.
+- File handling
+  - For stdio, prefer `send_fax` with `filePath` to avoid embedding PHI as base64 in conversations.
+  - For HTTP/SSE, tool inputs are JSON; base64 increases size and token exposure. Enforce auth and rate limits and avoid logging request bodies.
+- Do not send PHI to LLMs or external services unless covered by a BAA and approved by policy. Faxbot’s MCP servers call your Faxbot API; they do not upload PHI to model providers.
+- All MCP servers must require authentication where applicable:
   - REST API: `X-API-Key` for /fax endpoints.
   - MCP HTTP/SSE: `Authorization: Bearer <JWT>` verified against your OIDC JWKS.
 - Serve MCP over TLS. Never log PHI (file content, rendered pages). Log only job IDs and metadata.
 
+## Roles and Transport Choice (Practical Guidance)
+- Healthcare providers (CE/BA): use HTTPS for API, `phaxio` with HMAC or `sinch` with auth; for MCP use SSE+OAuth or skip MCP and call REST/SDKs directly.
+- Patients/individuals sending their own documents: HIPAA obligations differ; using local stdio MCP is generally acceptable. The receiving provider bears most compliance obligations upon receipt. Providers must still secure inbound faxes on their systems.
+
 ## Operational Checklist (Minimum)
 - [ ] Signed BAA with Phaxio (if using cloud backend).
 - [ ] TLS everywhere (HTTPS for public endpoints; VPN/private link for SIP media).

README.md

@@ -13,7 +13,14 @@ Simple fax-sending API with AI integration. Choose your backend:
 
 [→ Phaxio Setup Guide](docs/PHAXIO_SETUP.md)
 
-### Option 2: Self-Hosted SIP/Asterisk
+### Option 2: Sinch Fax API v3 (Cloud)
+- Direct upload model (no PUBLIC_API_URL fetch)
+- Works with “Phaxio by Sinch” accounts
+- Requires Project ID + API key/secret
+
+[→ Sinch Setup Guide](docs/SINCH_SETUP.md)
+
+### Option 3: Self-Hosted SIP/Asterisk
 - Full control
 - No per-fax cloud charges
 - Requires SIP trunk and T.38 knowledge
@@ -27,6 +34,17 @@ Simple fax-sending API with AI integration. Choose your backend:
 - Legacy servers remain under `api/` and Python `python_mcp/`.
 - OAuth2‑protected SSE MCP servers are available in both Node and Python.
 
+Important file-type note
+- Faxbot accepts only PDF and TXT. If you have images (PNG/JPG), convert them to PDF before sending.
+- Quick conversions:
+  - macOS Preview: File → Export As… → PDF
+  - macOS CLI: `sips -s format pdf "in.png" --out "out.pdf"`
+  - Linux: `img2pdf in.png -o out.pdf` or `magick convert in.png out.pdf`
+  - Windows: open image → Print → “Microsoft Print to PDF”.
+
+Stdio “just works” tip
+- For desktop assistants, prefer the Node or Python stdio MCP and call `send_fax` with `filePath` to your local PDF/TXT. This bypasses base64 and avoids token limits.
+
 ## Client SDKs
 - Python: `pip install faxbot`
 - Node.js: `npm install faxbot`
@@ -37,6 +55,7 @@ Simple fax-sending API with AI integration. Choose your backend:
 - [API Reference](docs/API_REFERENCE.md) — Endpoints and examples
 - [Troubleshooting](docs/TROUBLESHOOTING.md) — Common issues
 - [HIPAA Requirements](HIPAA_REQUIREMENTS.md) — Security, BAAs, and compliance checklist
+- [Images vs Text PDFs](docs/IMAGES_AND_PDFS.md) — The right way to fax scans/photos
 
 ## Notes
 - Send-only. Receiving is out of scope.

TODO.md

@@ -1,5 +1,14 @@
 # Faxbot Security Audit Report - Critical & High Priority Findings
 
+# Faxbot Security Audit Report - Critical & High Priority Findings
+
+## Immediate
+- Implement Sinch webhook handling to reach parity with Phaxio
+  - Add `/sinch-callback` endpoint and signature/auth validation per Sinch docs
+  - Map provider events to queued/in_progress/SUCCESS/FAILED
+  - Update tests and docs (API_REFERENCE.md, SINCH_SETUP.md, TROUBLESHOOTING.md)
+  - Consider configurable verification and retention rules analogous to Phaxio HMAC
+
 ## Executive Summary
 
 **Critical security and compliance issues identified:**
@@ -138,4 +147,4 @@
 **Documentation Gaps:**
 - HIPAA_REQUIREMENTS.md mentions controls not yet implemented in codebase
 - Missing BAA templates and risk analysis templates referenced in documentation
-- Troubleshooting guide doesn't cover security-specific error scenarios
+- Troubleshooting guide doesn't cover security-specific error scenarios

api/app/config.py

@@ -31,6 +31,11 @@ class Settings(BaseModel):
     # Public API URL (needed for cloud backend to fetch PDFs, e.g., Phaxio)
     public_api_url: str = Field(default_factory=lambda: os.getenv("PUBLIC_API_URL", "http://localhost:8080"))
 
+    # Sinch Fax (Phaxio by Sinch) — direct upload flow
+    sinch_project_id: str = Field(default_factory=lambda: os.getenv("SINCH_PROJECT_ID", ""))
+    sinch_api_key: str = Field(default_factory=lambda: os.getenv("SINCH_API_KEY", os.getenv("PHAXIO_API_KEY", "")))
+    sinch_api_secret: str = Field(default_factory=lambda: os.getenv("SINCH_API_SECRET", os.getenv("PHAXIO_API_SECRET", "")))
+
     # Fax presentation
     fax_header: str = Field(default_factory=lambda: os.getenv("FAX_HEADER", "Faxbot"))
     fax_station_id: str = Field(default_factory=lambda: os.getenv("FAX_LOCAL_STATION_ID", "+10000000000"))

api/app/main.py

@@ -14,6 +14,7 @@
 from .conversion import ensure_dir, txt_to_pdf, pdf_to_tiff
 from .ami import ami_client
 from .phaxio_service import get_phaxio_service
+from .sinch_service import get_sinch_service
 import hmac
 import hashlib
 from urllib.parse import urlparse
@@ -146,6 +147,10 @@ async def send_fax(background: BackgroundTasks, to: str = Form(...), file: Uploa
         if settings.fax_disabled:
             # Test mode: nothing else to prepare
             pass
+    elif settings.fax_backend == "sinch":
+        # Sinch cloud backend: no local TIFF; provider handles rasterization
+        pages = None
+        # nothing else to prepare here
     else:
         # SIP/Asterisk requires TIFF
         if settings.fax_disabled:
@@ -175,10 +180,10 @@ async def send_fax(background: BackgroundTasks, to: str = Form(...), file: Uploa
     # Kick off fax sending based on backend
     if not settings.fax_disabled:
         if settings.fax_backend == "phaxio":
-            # For Phaxio, we need a public URL for the PDF
             background.add_task(_send_via_phaxio, job_id, to, pdf_path)
+        elif settings.fax_backend == "sinch":
+            background.add_task(_send_via_sinch, job_id, to, pdf_path)
         else:
-            # SIP/Asterisk backend
             background.add_task(_originate_job, job_id, to, tiff_path)
 
     return _serialize_job(job)
@@ -418,6 +423,49 @@ async def _send_via_phaxio(job_id: str, to: str, pdf_path: str):
         audit_event("job_failed", job_id=job_id, error=str(e))
 
 
+async def _send_via_sinch(job_id: str, to: str, pdf_path: str):
+    """Send fax via Sinch Fax API v3 (Phaxio by Sinch)."""
+    try:
+        sinch = get_sinch_service()
+        if not sinch or not sinch.is_configured():
+            raise Exception("Sinch Fax is not properly configured")
+
+        audit_event("job_dispatch", job_id=job_id, method="sinch")
+
+        # Create fax by uploading the PDF directly (multipart/form-data)
+        resp = await sinch.send_fax_file(to, pdf_path)
+
+        fax_id = str(resp.get("id") or resp.get("data", {}).get("id") or "")
+        status = (resp.get("status") or resp.get("data", {}).get("status") or "in_progress").upper()
+        if status == "IN_PROGRESS":
+            internal_status = "in_progress"
+        elif status in {"SUCCESS", "COMPLETED", "COMPLETED_OK"}:
+            internal_status = "SUCCESS"
+        elif status in {"FAILED", "FAILURE", "ERROR"}:
+            internal_status = "FAILED"
+        else:
+            internal_status = "queued"
+
+        with SessionLocal() as db:
+            job = db.get(FaxJob, job_id)
+            if job:
+                job.provider_sid = fax_id
+                job.status = internal_status
+                job.updated_at = datetime.utcnow()
+                db.add(job)
+                db.commit()
+    except Exception as e:
+        with SessionLocal() as db:
+            job = db.get(FaxJob, job_id)
+            if job:
+                job.status = "failed"
+                job.error = str(e)
+                job.updated_at = datetime.utcnow()
+                db.add(job)
+                db.commit()
+        audit_event("job_failed", job_id=job_id, error=str(e))
+
+
 def _serialize_job(job: FaxJob) -> FaxJobOut:
     return FaxJobOut(
         id=job.id,

api/app/sinch_service.py

@@ -0,0 +1,135 @@
+import asyncio
+from typing import Optional, Dict, Any
+import httpx
+import logging
+import os
+
+from .config import settings, reload_settings
+
+logger = logging.getLogger(__name__)
+
+
+class SinchFaxService:
+    """
+    Sinch Fax API v3 integration ("Phaxio by Sinch").
+
+    Flow:
+      1) POST /v3/projects/{projectId}/files (multipart/form-data) → returns file id
+      2) POST /v3/projects/{projectId}/faxes { to, file } → returns fax object (id/status)
+      3) GET /v3/projects/{projectId}/faxes/{id} → poll status (optional)
+    """
+
+    DEFAULT_BASES = (
+        "https://fax.api.sinch.com/v3",
+        "https://us.fax.api.sinch.com/v3",
+        "https://eu.fax.api.sinch.com/v3",
+    )
+
+    def __init__(self, project_id: str, api_key: str, api_secret: str, base_url: Optional[str] = None):
+        self.project_id = project_id
+        self.api_key = api_key
+        self.api_secret = api_secret
+        self.base_url = base_url or os.getenv("SINCH_BASE_URL") or self.DEFAULT_BASES[0]
+
+    def is_configured(self) -> bool:
+        return bool(self.project_id and self.api_key and self.api_secret)
+
+    def _auth(self) -> tuple[str, str]:
+        return (self.api_key, self.api_secret)
+
+    async def upload_file(self, file_path: str) -> int:
+        if not os.path.exists(file_path):
+            raise FileNotFoundError(file_path)
+        urls = [self.base_url] + [b for b in self.DEFAULT_BASES if b != self.base_url]
+        last = None
+        for base in urls:
+            url = f"{base}/projects/{self.project_id}/files"
+            try:
+                async with httpx.AsyncClient(timeout=60.0) as client:
+                    files = {"file": (os.path.basename(file_path), open(file_path, "rb"), "application/pdf")}
+                    resp = await client.post(url, files=files, auth=self._auth())
+                if resp.status_code < 400:
+                    data = resp.json()
+                    file_id = data.get("id") or data.get("data", {}).get("id")
+                    if file_id is None:
+                        raise RuntimeError(f"Unexpected Sinch upload response: {data}")
+                    return int(file_id)
+                last = (url, resp.status_code, resp.text)
+            except Exception as e:  # pragma: no cover
+                last = (url, "exception", str(e))
+                continue
+        raise RuntimeError(f"Sinch file upload failed: {last}")
+        files = {"file": (os.path.basename(file_path), open(file_path, "rb"), "application/pdf")}
+        async with httpx.AsyncClient(timeout=60.0) as client:
+            resp = await client.post(url, files=files, auth=self._auth())
+            if resp.status_code >= 400:
+                raise RuntimeError(f"Sinch file upload error {resp.status_code}: {resp.text}")
+            data = resp.json()
+            file_id = data.get("id") or data.get("data", {}).get("id")
+            if file_id is None:
+                raise RuntimeError(f"Unexpected Sinch upload response: {data}")
+            return int(file_id)
+
+    async def send_fax(self, to_number: str, file_id: int) -> Dict[str, Any]:
+        # Normalize number to E.164 if possible
+        to = to_number
+        if not to.startswith('+'):
+            digits = ''.join(c for c in to if c.isdigit())
+            if len(digits) >= 10:
+                to = f"+{digits}"
+        url = f"{self.base_url}/projects/{self.project_id}/faxes"
+        payload = {"to": to, "file": file_id}
+        async with httpx.AsyncClient(timeout=30.0) as client:
+            resp = await client.post(url, json=payload, auth=self._auth())
+            if resp.status_code >= 400:
+                raise RuntimeError(f"Sinch create fax error {resp.status_code}: {resp.text}")
+            return resp.json()
+
+    async def get_fax_status(self, fax_id: str) -> Dict[str, Any]:
+        url = f"{self.BASE_URL}/projects/{self.project_id}/faxes/{fax_id}"
+        async with httpx.AsyncClient(timeout=15.0) as client:
+            resp = await client.get(url, auth=self._auth())
+            resp.raise_for_status()
+            return resp.json()
+
+    async def send_fax_file(self, to_number: str, file_path: str) -> Dict[str, Any]:
+        """Create a fax by posting the file directly as multipart/form-data.
+
+        This mirrors what the Sinch console does and avoids a separate /files upload.
+        """
+        if not os.path.exists(file_path):
+            raise FileNotFoundError(file_path)
+        to = to_number
+        if not to.startswith('+'):
+            digits = ''.join(c for c in to if c.isdigit())
+            if len(digits) >= 10:
+                to = f"+{digits}"
+        url = f"{self.base_url}/projects/{self.project_id}/faxes"
+        async with httpx.AsyncClient(timeout=60.0) as client:
+            files = {
+                "file": (os.path.basename(file_path), open(file_path, "rb"), "application/pdf"),
+                "to": (None, to),
+            }
+            resp = await client.post(url, files=files, auth=self._auth())
+            if resp.status_code >= 400:
+                raise RuntimeError(f"Sinch create fax error {resp.status_code}: {resp.text}")
+            return resp.json()
+
+
+_sinch_service: Optional[SinchFaxService] = None
+
+
+def get_sinch_service() -> Optional[SinchFaxService]:
+    global _sinch_service
+    reload_settings()
+    if not (settings.sinch_project_id and settings.sinch_api_key and settings.sinch_api_secret):
+        _sinch_service = None
+        return None
+    if _sinch_service is None:
+        _sinch_service = SinchFaxService(
+            project_id=settings.sinch_project_id,
+            api_key=settings.sinch_api_key,
+            api_secret=settings.sinch_api_secret,
+            base_url=os.getenv("SINCH_BASE_URL") or None,
+        )
+    return _sinch_service

docs/API_REFERENCE.md

@@ -50,16 +50,17 @@ curl -H "X-API-Key: $API_KEY" http://localhost:8080/fax/$JOB_ID
   - `status: string` (queued | in_progress | SUCCESS | FAILED | disabled)
   - `error?: string`
   - `pages?: number`
-  - `backend: string` ("phaxio" or "sip")
+  - `backend: string` ("phaxio", "sinch", or "sip")
   - `provider_sid?: string`
   - `created_at: ISO8601`
   - `updated_at: ISO8601`
 
 ## Notes
-- Backend chosen via `FAX_BACKEND` env var.
+- Backend chosen via `FAX_BACKEND` env var: `phaxio` (cloud via Phaxio/Phaxio‑by‑Sinch V2 style), `sinch` (cloud via Sinch Fax API v3 direct upload), or `sip` (self‑hosted Asterisk).
 - TXT files are converted to PDF before TIFF conversion.
 - If Ghostscript is missing, TIFF step is stubbed with pages=1; install for production.
-- For the Phaxio backend, TIFF conversion is skipped; page count is finalized via the provider callback.
+- For the `phaxio` backend, TIFF conversion is skipped; page count is finalized via the provider callback (`/phaxio-callback`, HMAC verification supported).
+- For the `sinch` backend, the API uploads your PDF directly to Sinch. Webhook support is under evaluation; status reflects the provider’s immediate response and may be updated by polling in future versions.
 - Tokenized PDF access has a TTL (`PDF_TOKEN_TTL_MINUTES`, default 60). The `/fax/{id}/pdf?token=...` link expires after TTL.
 - Optional retention: enable automatic cleanup of artifacts by setting `ARTIFACT_TTL_DAYS>0` (default disabled). Cleanup runs every `CLEANUP_INTERVAL_MINUTES` (default 1440).