Add docs support

Author: rmorse

.agents/competitor-analysis/helpscout-mcp-server-caching.md

@@ -0,0 +1,160 @@
+# help-scout-mcp-server: Caching Strategy
+
+> Source: https://github.com/drewburchfield/help-scout-mcp-server
+> Analyzed: 2026-02-25
+
+## Overview
+
+In-process LRU cache with SHA-256 key generation, endpoint-aware TTLs, and no PII-aware eviction. Raw API responses cached before any redaction is applied.
+
+---
+
+## Architecture
+
+```
+HelpScout API → HelpScoutClient.get() → cache.set(raw) → tool handler → redact → MCP response
+                                       ↓
+                              cache.get(raw) → tool handler → redact → MCP response (cache hit)
+```
+
+- **Library**: `lru-cache` (npm)
+- **Storage**: In-process memory. No disk persistence. Lost on restart.
+- **Singleton**: One `Cache` instance exported from `src/utils/cache.ts`, shared across all tool/resource handlers.
+
+---
+
+## Configuration
+
+| Setting | Env var | Default | Unit |
+|---------|---------|---------|------|
+| TTL | `CACHE_TTL_SECONDS` | 300 | seconds |
+| Max entries | `MAX_CACHE_SIZE` | 10,000 | items |
+
+Both configurable via env vars. Applied at startup, no runtime changes.
+
+---
+
+## Key generation
+
+```typescript
+generateKey(prefix: string, data?: unknown): string {
+  const hash = crypto.createHash('sha256');
+  hash.update(JSON.stringify({ prefix, data }));
+  return hash.digest('hex');
+}
+```
+
+- `prefix`: API endpoint path (e.g., `/conversations/123`)
+- `data`: query params object
+- SHA-256 of `JSON.stringify({prefix, data})` → hex string
+- Deterministic: same endpoint + same params = same cache key
+- No namespace isolation between tools/resources
+
+---
+
+## TTL strategy (endpoint-aware)
+
+The `HelpScoutClient.get()` method selects TTL based on endpoint pattern:
+
+| Endpoint pattern | TTL | Rationale |
+|-----------------|-----|-----------|
+| `/mailboxes*` | 1440s (24 hours) | Mailbox config changes rarely |
+| `/conversations*` | 300s (5 min) | Conversations update frequently |
+| `/conversations/*/threads*` | 300s (5 min) | Threads update frequently |
+| Everything else | 300s (5 min) | Default |
+
+Custom TTL can be passed per-call via `cacheOptions.ttl` parameter, though no tool currently overrides the defaults.
+
+---
+
+## Cache lifecycle
+
+### Read path
+```typescript
+async get<T>(endpoint, params, cacheOptions): Promise<T> {
+  const cacheKey = `GET:${endpoint}`;
+  const cachedResult = cache.get<T>(cacheKey, params);
+  if (cachedResult) {
+    logger.debug(`Cache hit: ${endpoint}`);
+    return cachedResult;  // raw API data, no redaction
+  }
+  // ... fetch from API
+}
+```
+
+### Write path
+```typescript
+cache.set(cacheKey, params, response.data, { ttl: determinedTTL });
+```
+
+### Eviction
+- LRU eviction when max size (10,000) reached
+- TTL-based expiry per entry
+- `cache.clear()` method exists but is never called in application code
+- No manual invalidation on write operations (e.g., replying to a thread doesn't invalidate cached thread list)
+
+---
+
+## PII implications
+
+### Raw data always cached
+
+Redaction happens in the tool layer *after* the cache returns data. The cache itself stores complete, unredacted API responses including:
+
+- Customer names and emails
+- Agent names and emails
+- Full message bodies
+- CC/BCC recipients
+- Thread metadata
+
+### No PII-aware features
+
+| Feature | Present? | Impact |
+|---------|----------|--------|
+| Cache-level redaction | No | Raw PII in memory for TTL duration |
+| PII-aware eviction | No | No way to flush customer data on demand |
+| Per-user cache isolation | No | All MCP consumers share same cache |
+| Cache encryption | No | Plain objects in process memory |
+| Audit logging of cache access | No | No trail of what PII was cached/served |
+| Config-change cache invalidation | No | Changing `REDACT_MESSAGE_CONTENT` doesn't flush cache |
+
+### Stale data risk
+
+No write-through invalidation. If a conversation is updated via the HelpScout UI (customer edits, agent replies), the cache serves stale data for up to 5 minutes. This is a correctness issue, not a security one, but worth noting.
+
+---
+
+## Retry & connection pooling
+
+Not caching per se, but related to the client layer:
+
+### Retry logic (`executeWithRetry`)
+- Max attempts: 3 (configurable)
+- Base delay: 1000ms
+- Max delay: 10000ms
+- Jitter: 10% random to avoid thundering herd
+- 429 (rate limit): uses `Retry-After` header
+- 401 (auth failure): clears token, re-authenticates, retries
+- Other 5xx: exponential backoff
+
+### Connection pool
+- Max sockets: 50
+- Max free sockets: 10
+- Timeout: 30,000ms
+- Keep-alive: enabled (1000ms interval)
+
+### OAuth2 token caching
+- Access token stored in `accessToken` property
+- Expiry tracked with 60-second buffer (`tokenExpiresAt`)
+- Concurrent auth requests deduplicated via shared promise (`authenticationPromise`)
+- Token cleared on 401 to force re-auth
+
+---
+
+## Relevance to hs-cli
+
+Our CLI is stateless (no persistent process), so in-process caching doesn't apply. However, these patterns inform our design:
+
+1. **If we ever build an MCP server wrapper**: cache should store anonymized data, not raw, to prevent bypass via cache reads.
+2. **Endpoint-aware TTLs**: reasonable approach if we add caching. Mailboxes are stable (long TTL), conversations/threads change often (short TTL).
+3. **Token management**: our `internal/auth/` already handles OAuth2 with keyring storage — different approach (persistent credentials) vs their in-process token lifecycle.

.agents/competitor-analysis/helpscout-mcp-server-pii.md

@@ -0,0 +1,119 @@
+# help-scout-mcp-server: PII & Anonymization Model
+
+> Source: https://github.com/drewburchfield/help-scout-mcp-server
+> Analyzed: 2026-02-25
+
+## Overview
+
+A thin MCP proxy over the HelpScout API with one optional content-body gate. Despite README claims of "enterprise-grade security" and "SOC2 compliant options", the actual PII model is minimal: message body redaction on 2 of 9 tools. Customer identity (name, email) is always exposed.
+
+---
+
+## Config: Two env vars, one derived flag
+
+```typescript
+// src/utils/config.ts
+security: {
+  allowPii: process.env.REDACT_MESSAGE_CONTENT !== 'true'
+         || process.env.ALLOW_PII === 'true',
+}
+```
+
+| `REDACT_MESSAGE_CONTENT` | `ALLOW_PII` | `allowPii` | Effect |
+|---|---|---|---|
+| unset / `false` | unset | `true` | All content shown (default) |
+| `true` | unset | `false` | Body text redacted in 2 tools |
+| `true` | `true` | `true` | Override — all content shown |
+| `false` | `true` | `true` | All content shown |
+
+- Loaded once at startup via `dotenv.config()`. No runtime reload.
+- `ALLOW_PII=true` silently overrides `REDACT_MESSAGE_CONTENT=true`. No warning emitted.
+- No per-request override. LLM cannot change the setting mid-session.
+
+---
+
+## Tool-by-tool redaction map
+
+9 tools exposed. Only 2 apply any redaction, and only to the `body` field:
+
+| Tool | Bodies redacted? | Customer name/email exposed? | Notes |
+|------|---|---|---|
+| `searchConversations` | No | Yes | Returns full `Conversation` objects |
+| `advancedConversationSearch` | No | Yes | Also accepts `customerEmail` as search param |
+| `comprehensiveConversationSearch` | No | Yes | Results grouped by status |
+| `structuredConversationFilter` | No | Yes | Accepts `customerIds[]` — enumerate by customer |
+| **`getConversationSummary`** | **Yes** | Yes | `body` → placeholder; `customer.*` untouched |
+| **`getThreads`** | **Yes** | Yes | `body` → placeholder; `createdBy.*` untouched |
+| `listAllInboxes` | N/A | N/A | Inbox metadata only |
+| `searchInboxes` | N/A | N/A | Inbox metadata only |
+| `getServerTime` | N/A | N/A | Timestamp only |
+
+### Redaction implementation
+
+```typescript
+// getConversationSummary
+firstCustomerMessage: {
+  body: config.security.allowPii
+    ? firstCustomerMessage.body
+    : '[Content hidden - set REDACT_MESSAGE_CONTENT=false to view]',
+  customer: firstCustomerMessage.customer,  // NOT redacted
+}
+
+// getThreads
+const processedThreads = threads.map(thread => ({
+  ...thread,  // spreads customer, createdBy, assignedTo — all PII
+  body: config.security.allowPii
+    ? thread.body
+    : '[Content hidden - set REDACT_MESSAGE_CONTENT=false to view]',
+}));
+```
+
+Only `body` is swapped. Everything else passes through.
+
+Note: the placeholder text says "set REDACT_MESSAGE_CONTENT=false to view" — this is incorrect. The default (unset) already shows content. The message should say "set REDACT_MESSAGE_CONTENT to false or unset it".
+
+---
+
+## Resource layer: complete bypass
+
+MCP resources (`helpscout://conversations`, `helpscout://threads`, `helpscout://inboxes`) are exposed via `src/resources/index.ts`. This file **does not import the config module**. Zero redaction logic. An MCP client reading resources instead of calling tools gets full unredacted data regardless of env vars.
+
+---
+
+## Fields never protected (regardless of settings)
+
+| Field | Where it appears | Risk |
+|-------|-----------------|------|
+| `customer.firstName` | Every conversation object | Customer identity |
+| `customer.lastName` | Every conversation object | Customer identity |
+| `customer.email` | Every conversation + thread | Customer contact |
+| `assignee.firstName/lastName/email` | Every assigned conversation | Staff identity |
+| `thread.createdBy.email/first/last` | Every thread | Message author |
+| `thread.customer.email` | Every thread | Customer contact |
+| `thread.assignedTo.email` | Draft threads | Staff identity |
+| `conversation.subject` | Every conversation | Customers type PII into subjects |
+| CC/BCC recipients | Thread objects | Third-party contacts |
+
+---
+
+## Permission model
+
+None. No per-tool allowlist, no per-inbox scoping enforcement, no rate limiting per tool.
+
+`HELPSCOUT_DEFAULT_INBOX_ID` is a soft default the LLM can override by passing its own `inboxId`. Not a security boundary.
+
+`HelpScoutAPIConstraints` in `src/utils/api-constraints.ts` validates input format (numeric IDs, non-empty search terms) — correctness guards, not security.
+
+---
+
+## Gap analysis vs our approach
+
+| Dimension | help-scout-mcp-server | hs-cli (planned) |
+|-----------|----------------------|------------------|
+| What's anonymized | Message body only (2 tools) | All person fields: name, email, phone |
+| Identity correlation | None — just hides content | Deterministic fake identities (same person = same fake) |
+| Scope | Binary on/off | Three levels: `off`, `customers`, `all` |
+| Format coverage | Tool responses only | All formats: table, csv, json, json-full |
+| Bypass paths | Resource layer completely unprotected | No bypass — anonymize applies at output layer |
+| Config | Env vars only, no persistence | Config file + env var + `config set` |
+| Customer identity | Always exposed | Anonymized when enabled |

.agents/plans/docs/implementation-checklist.md

@@ -0,0 +1,86 @@
+# Docs API Implementation Checklist
+
+## Infrastructure
+- [x] Config: `DocsAPIKey`, `DocsPermissions` fields + env vars
+- [x] Auth store: `StoreDocsAPIKey`, `LoadDocsAPIKey`, `DeleteDocsAPIKey`
+- [x] DocsClient: HTTP Basic Auth, rate limiter, multipart uploads
+- [x] DocsClientAPI interface
+- [x] Docs pagination: `DocsPaginateAll`, `ExtractDocsItems`
+- [x] DocsPageInfo type
+
+## Root/MCP wiring
+- [x] `docsClient` var in root.go
+- [x] `isUnderSubtree()` helper
+- [x] Docs client init in PersistentPreRunE (env > keyring > config)
+- [x] Docs permission check path
+- [x] MCP catalog discovers both inbox + docs trees
+- [x] MCP description no longer hardcoded "Inbox"
+
+## Auth (3 commands)
+- [x] `hs docs auth login`
+- [x] `hs docs auth status`
+- [x] `hs docs auth logout`
+
+## Collections (5 commands)
+- [x] `hs docs collections list`
+- [x] `hs docs collections get <id>`
+- [x] `hs docs collections create`
+- [x] `hs docs collections update <id>`
+- [x] `hs docs collections delete <id>`
+
+## Categories (6 commands)
+- [x] `hs docs categories list <collection-id>`
+- [x] `hs docs categories get <id>`
+- [x] `hs docs categories create`
+- [x] `hs docs categories update <id>`
+- [x] `hs docs categories reorder <collection-id>`
+- [x] `hs docs categories delete <id>`
+
+## Articles (13 commands)
+- [x] `hs docs articles list` (--collection or --category)
+- [x] `hs docs articles search --query ...`
+- [x] `hs docs articles get <id>` (--draft)
+- [x] `hs docs articles related <id>`
+- [x] `hs docs articles create`
+- [x] `hs docs articles update <id>`
+- [x] `hs docs articles delete <id>`
+- [x] `hs docs articles upload <id> --file ...`
+- [x] `hs docs articles views <id> --count ...`
+- [x] `hs docs articles draft save <id> --text ...`
+- [x] `hs docs articles draft delete <id>`
+- [x] `hs docs articles revisions list <id>`
+- [x] `hs docs articles revisions get <id> <rev-id>`
+
+## Sites (7 commands)
+- [x] `hs docs sites list`
+- [x] `hs docs sites get <id>`
+- [x] `hs docs sites create`
+- [x] `hs docs sites update <id>`
+- [x] `hs docs sites delete <id>`
+- [x] `hs docs sites restrictions get <id>`
+- [x] `hs docs sites restrictions update <id>`
+
+## Redirects (6 commands)
+- [x] `hs docs redirects list <site-id>`
+- [x] `hs docs redirects get <id>`
+- [x] `hs docs redirects find --site ... --url ...`
+- [x] `hs docs redirects create`
+- [x] `hs docs redirects update <id>`
+- [x] `hs docs redirects delete <id>`
+
+## Assets (2 commands)
+- [x] `hs docs assets article upload --file ...`
+- [x] `hs docs assets settings upload --file ...`
+
+## Output
+- [x] JSON clean passthrough (docsCleanMinimal)
+- [x] Table output per resource
+- [x] `jsonStr()` helper for generic JSON→table
+
+## Verification
+- [x] `go build ./cmd/hs` — clean
+- [x] `go vet ./...` — clean
+- [x] `go test ./...` — no new failures (1 pre-existing env-dependent failure)
+- [x] MCP tools/list: 39 `helpscout_docs_*` tools discovered
+- [x] Auth gating: unauthenticated → clear error message
+- [x] All 85 inbox MCP tools still present