claude-threads 1.11.0 → 1.12.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +13 -0
- package/dist/index.js +679 -443
- package/dist/mcp/permission-server.js +374 -6
- package/package.json +1 -1
package/CHANGELOG.md
CHANGED
|
@@ -5,6 +5,19 @@ All notable changes to this project will be documented in this file.
|
|
|
5
5
|
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
|
|
6
6
|
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
|
|
7
7
|
|
|
8
|
+
## [1.12.0] - 2026-05-05
|
|
9
|
+
|
|
10
|
+
### Added
|
|
11
|
+
- **Claude can send files inline via the new `send_file` MCP tool.** Closes #360. When Claude produces an artifact during a session — Playwright screenshot, generated TTS MP3, plot, document — it can now post the file directly into the chat thread by calling `send_file(path, caption?)` instead of asking the user to fetch it from a URL. The tool runs inside the per-session `claude-threads-permissions` MCP child (no second MCP server needed), validates the path against the session working directory and per-session upload directory, then drives the Mattermost two-step `/api/v4/files` + `/api/v4/posts file_ids` flow or Slack's three-step v2 flow (`files.getUploadURLExternal` + presigned PUT + `files.completeUploadExternal`). Returns `{ ok: true, postId }` on success or `{ ok: false, reason }` on failure so Claude can retry or apologize to the user. Auto-approved by the permission gate (path validator is the real gate; making the user 👍 every screenshot would defeat the feature). Available in all three permission modes (`default`, `auto`, `bypass`) — bypass-mode now spawns the MCP server too so the tool stays available in the build-anything-on-demand setups that motivated the issue. Optional `outboundFiles: { enabled?, maxBytes? }` block on each platform config — defaults to enabled with a 100 MB cap. Reuses the per-thread upload directory and `MAX_UPLOAD_SIZE` ceiling already established by inbound attachments (PR #359). The system prompt now leads with "You are RIGHT NOW running inside a chat thread" and explicitly tells the model not to claim the tool is unavailable, after a manual test caught the model improvising an apology even though the tool was wired up. (#361)
|
|
12
|
+
|
|
13
|
+
### Security
|
|
14
|
+
- **Path validator hardens `send_file` against traversal and tricks.** New `src/mcp/path-validator.ts`. Rejects: non-absolute paths, anything that resolves (via `realpath`) outside the session working directory or per-session upload directory (path-prefix containment, so `/srv/sessions-evil` does not match `/srv/sessions`), non-regular files (FIFOs, sockets, devices, directories), SUID/SGID files, oversize files, zero-byte files (which Slack's upload endpoint rejects anyway), and dangerously wide allowed roots like `/`, `/home`, `/etc`, `/var`, `/tmp` (so a misconfigured `SESSION_WORKING_DIR` fails loudly instead of widening the trust boundary). The uploader receives the realpath-resolved path so it can't be re-pointed by a symlink between validation and read. Every reject branch has a unit test verified RED-GREEN against the live function. Follow-ups for TOCTOU between validate and read, per-session rate-limiting, and caption-length truncation tracked in #362-#365. (#361)
|
|
15
|
+
|
|
16
|
+
### Internals
|
|
17
|
+
- **`buildRestartCliOptions` helper.** Five places in the codebase construct a `ClaudeCli` (start, resume, `!cd`, `!permissions interactive`, `!worktree create`/`switch`). Each must thread `uploadDir` and `outboundFiles` through, or `send_file` silently breaks for that path. Two of the five (worktree paths) were skipped in the original PR and only caught by manual testing. Extracted to `src/claude/restart-options.ts` so all sites share one source of truth. (#361)
|
|
18
|
+
- **Env-var contract test pins names across the bot↔MCP-child boundary.** `OUTBOUND_ENV` constants in `src/mcp/outbound-env.ts` are referenced by both `buildPermissionArgs` (emit side) and `permission-server.ts` (consume side); a contract test asserts the names match and no bare string literal is used on either side. Caught a class of silent rename-drift bugs that would otherwise type-check and unit-test green while breaking the feature at runtime. (#361)
|
|
19
|
+
- **Portable chmod helper for tests.** Bun 1.3.x masks the SUID/SGID/sticky bits in `fs.chmod` and `chmodSync` (verified against 1.3.3); the SUID-rejection branch of the path validator was untestable without a workaround. New `src/test-utils/chmod-portable.ts` `setMode()` tries the runtime's chmod, verifies via `stat`, and falls back to `/bin/chmod` if the high bits didn't land. Works on Node (fast path) and Bun (shell fallback). (#361)
|
|
20
|
+
|
|
8
21
|
## [1.11.0] - 2026-05-03
|
|
9
22
|
|
|
10
23
|
### Changed
|