Merge pull request 'feat(mcp): per-user auth for /mcp (HTTP Basic, server-validated)' (#13) from feat/mcp-per-user-auth into develop

.env.example

@@ -69,12 +69,26 @@ DEBUG_DB=false
 # Log http requests
 LOG_HTTP=false
 
-# MCP server (community): service account the embedded MCP uses to talk to this Docmost instance
+# MCP server (community): the embedded /mcp endpoint authenticates PER USER.
+# An MCP client authenticates with one of:
+#   - HTTP Basic: `Authorization: Basic base64(email:password)` — the user's own
+#     Docmost login/password. The server validates the credentials and the MCP
+#     session then acts under that user's permissions (edits attributed to them).
+#   - Bearer access JWT: `Authorization: Bearer <access-jwt>` (the user's
+#     `authToken` cookie value). Validated as an ACCESS token.
+#
+# OPTIONAL service-account fallback. When a request carries NEITHER Basic NOR
+# Bearer credentials and these are set, the MCP session falls back to this
+# shared service account (back-compat; useful for CI/scripts). Leave BLANK to
+# require per-user credentials.
 MCP_DOCMOST_EMAIL=
 MCP_DOCMOST_PASSWORD=
 # MCP_DOCMOST_API_URL=http://127.0.0.1:3000/api
-# Optional bearer token to protect the /mcp endpoint. If unset, /mcp relies on
-# the workspace MCP toggle and network isolation (do not expose the port publicly).
+# Optional shared guard for the /mcp endpoint. When set, every /mcp request must
+# carry a matching `X-MCP-Token` header (separate from `Authorization`, which now
+# carries the per-user credentials). When unset, /mcp relies on the per-user
+# credentials above plus the workspace MCP toggle and network isolation (do not
+# expose the port publicly).
 # MCP_TOKEN=
 # MCP_SESSION_IDLE_MS=1800000