Skip to content

Releases: wavyx/hscli

v0.11.2

Choose a tag to compare

@github-actions github-actions released this 08 Jul 21:07
5f3dea4

Dependency refresh — no functional changes.

Changed

  • Dependencies: js-yaml 4 → 5 (now ESM-only with named exports; internal import updated, YAML output unchanged), oclif framework updates (@oclif/core 4.11.14 and plugins), undici 8.7.0, tar 7.5.19, ora 9.4.1, and hono 4.12.28 (transitive, via the MCP SDK). Dev tooling (eslint, prettier, vitest, nock) and website deps (astro, starlight, esbuild) refreshed alongside.
  • Build: every dependency in package.json is now pinned to an exact version (removed the last caret ranges on js-yaml, @modelcontextprotocol/sdk, and zod).
  • CI: workflows now use actions/checkout v7.

v0.11.1

Choose a tag to compare

@github-actions github-actions released this 05 Jun 16:49

Stability pass (from an in-depth adversarial review).

Fixed

  • Reliability: pagination no longer loops forever on a non-numeric pages value (both API clients); the 429 backoff no longer busy-loops when Retry-After is non-numeric (e.g. an HTTP-date) — both now fall back to a sane delay / terminate.
  • MCP — safety & robustness:
    • Tool argument values can no longer be reinterpreted as CLI flags (argv injection): flags are passed as --name=value and positional args after a -- separator.
    • A signal-killed tool subprocess is reported as an error instead of silent success with partial output.
    • Tool calls now have a timeout and an output-size cap, so a hung or runaway command can't hang or OOM the server.
    • mcp serve forwards the active --profile to tool calls (previously they silently ran under the default account).
    • Integer arguments accept JSON numbers ({id: 123}), not only strings.
    • auth login/logout/refresh/setup and docs auth are no longer exposed as tools (they manage local credentials and can open a browser / bind a port on the host); workflow run is now flagged destructive; the inert yes input was removed from delete tools.
  • Homebrew: --jq now works — the formula depends on jq and points node-jq at it (its bundled binary can't be downloaded in the Homebrew sandbox).
  • Reports: --output csv/table now fail with a clear message (reports are nested JSON) instead of emitting nothing.
  • Docs API: --text @missing-file now reports a clear error instead of a raw stack trace.
  • Keychain: a write with no usable keychain (e.g. in a container) gives the friendly "keychain unavailable" guidance instead of a raw PermissionDenied.

v0.11.0

Choose a tag to compare

@github-actions github-actions released this 05 Jun 15:21
0516961

Added

  • Distribution beyond npm:
    • Dockerdocker run --rm ghcr.io/wavyx/hscli --help. Built and pushed to GHCR by the release workflow.
    • Homebrewbrew tap wavyx/tap && brew install hscli (macOS/Linux).
    • Scoopscoop bucket add hscli https://github.com/wavyx/scoop-hscli && scoop install hscli (Windows).
    • npm stays the source of truth; scripts/gen-dist.mjs regenerates the Homebrew formula + Scoop manifest from the published tarball (with its sha256).
  • auth status --output json emits a structured status object (profile, keychain, token state, user) — handy for scripts and as a structured MCP tool result.

Changed

  • MCP: mcp serve no longer advertises the output-shaping global flags (--output/--jq/--fields/--timeout/--no-retry/--verbose/--no-color) it never uses; it keeps --profile and --allow-writes.

v0.10.2

Choose a tag to compare

@github-actions github-actions released this 05 Jun 14:25

Added

  • Home page: a featured MCP section showcasing hscli mcp serve for AI agents, alongside the Docs block.

Changed

  • MCP: no longer expose doctor (a local-environment diagnostic that makes a live network probe) or mcp serve itself (calling it would spawn a nested server) as tools; read tools now carry idempotentHint so clients can cache/retry them safely.

v0.10.1

Choose a tag to compare

@github-actions github-actions released this 05 Jun 13:48

Fixed

  • MCP: bulk operations (conv bulk-status) now carry the MCP destructiveHint, so clients prompt before running them — previously only delete/remove tools were flagged. Corrected the MCP guide to describe exactly which tools are marked destructive (delete/remove/bulk) versus plain writes (create/update).

v0.10.0

Choose a tag to compare

@github-actions github-actions released this 05 Jun 10:12

Added

  • MCP server — hscli mcp serve. Run hscli as a Model Context Protocol server over stdio so AI agents (Claude Desktop, Claude Code, …) drive Help Scout through native tools. One tool per command, generated from the command manifest so it stays in sync.
    • Reads by default, writes opt-in. Only read-only tools are exposed unless started with --allow-writes; mutating tools carry MCP destructiveHint/readOnlyHint annotations so clients can confirm dangerous calls.
    • Each tool call runs the CLI as a child process (keeping the stdio protocol channel clean) and returns the command's JSON as structuredContent. The api escape hatch, streaming conv watch, and bundled oclif plugin commands are not exposed.
    • Reuses the existing OS-keychain OAuth token and Docs API key — the server runs as you.
  • New MCP guide with Claude Desktop / Claude Code configuration.

v0.9.0

Choose a tag to compare

@github-actions github-actions released this 04 Jun 20:33

Added

  • Help Scout Docs API support — a new hscli docs command group for the knowledge base. Docs is a separate product and authenticates with its own per-user API key, independent of the Mailbox OAuth login:
    • docs auth — validate and store the Docs API key in the OS keychain (or pass HSCLI_DOCS_API_KEY for CI).
    • Read & search: docs site list|get, docs collection list|get, docs category list, docs article list|get|search.
    • Articles: docs article create|update|delete, plus docs article save-draft|delete-draft.
    • Collections & categories: docs collection create|update|delete, docs category create|update|delete.
    • The Docs client is host-locked to docsapi.helpscout.net and shares hscli's retry/backoff, rate-limit handling, structured --output table|json|yaml|csv, and deterministic exit codes.
  • Documentation: a new Docs (knowledge base) guide, separate-API-key coverage in the authentication guide, and a home-page recipe showing an agent turning inbox patterns into published articles. The generated command reference now spans all 88 commands.

v0.8.1

Choose a tag to compare

@github-actions github-actions released this 04 Jun 12:22
19a335e

Changed

  • CI, release, and docs workflows now run on Node-24 action majors — actions/checkout@v6, actions/setup-node@v6, codecov/codecov-action@v6, actions/upload-pages-artifact@v5, actions/deploy-pages@v5 — clearing the Node-20 GitHub Actions runner deprecation.
  • Docs site migrated off the deprecated top-level markdown.smartypants / markdown.remarkPlugins options to the Astro 6.4 markdown.processor: unified({ … }) API (the old options are removed in Astro 8.0). No output change — code samples keep literal --flags and straight quotes.
  • Routine minor/patch dependency bumps (Dependabot): @inquirer/prompts, @oclif/plugin-help, @oclif/plugin-plugins, js-yaml, tar, eslint, oclif, vitest, @vitest/coverage-v8.

v0.8.0

Choose a tag to compare

@github-actions github-actions released this 02 Jun 07:38
9f5b01a

Changed

  • BREAKING: the binary is now hscli instead of hs to avoid a global-install collision with the HubSpot CLI (which also installs hs). Update scripts and aliases accordingly.

Security

  • hscli api is now host-locked. Requests whose path resolves to any host other than api.helpscout.net are refused, closing a token-exfiltration vector (e.g. hscli api GET //evil.com/...).
  • Token storage hard-fails when no OS keychain is available. hscli no longer falls back to a weakly-obfuscated file; it refuses to write credentials to disk in plaintext (BREAKING for environments without a system keychain).
  • The Authorization Code login now binds the loopback callback to the fixed port 9999, matching the Redirection URL the hscli auth setup wizard registers, and fails with a clear message if the port is in use.
  • All API requests now send a hscli/<version> User-Agent.

Added

  • LICENSE (MIT), SECURITY.md, CODE_OF_CONDUCT.md, issue/PR templates, and Dependabot config.
  • Automated release workflow (tag-triggered npm publish with provenance via OIDC trusted publishing + GitHub Release).
  • Test coverage is now gated at 90% in CI; CHANGELOG.md ships in the npm tarball.