claude-threads 1.15.2 → 1.16.1

package/CHANGELOG.md

@@ -7,6 +7,32 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [1.16.1] - 2026-05-22
+
+### Security
+- **Fail-closed authorization on the user-driven paths that invoke Claude.** A confirmed bypass let an unauthorized Slack user (not in `allowedUsers`, non-empty allowlist) reach Claude: the bot posted both the "not authorized" warning and a real answer in the same thread. Rather than chase the one leaking caller, authorization is now deny-by-default at the functions that spawn or message Claude on a user's behalf: `startSession`, `sendFollowUp`, and `resumePausedSession`, plus the resume-from-reaction path. A single helper, `isAuthorizedForSession`, encodes every tier (global allowlist, empty-allowlist allow-all, per-session owner and invited users) and refuses a missing, empty, or `unknown` username. Every user-facing path now routes through that one helper instead of duplicating the check. The biggest gap was message-driven resume, which ran purely from persisted state with no identity check; it now takes a `username` and verifies it against the persisted session allowlist before resuming. The two system-triggered resume paths (bulk restore after a bot restart) stay ungated by design, since they carry no user identity. Legitimate username-less follow-ups (passthrough slash commands like `/context`, already authorized upstream) pass an explicit `system` flag so they are not caught. The mid-session approval flow is untouched: it still adds approved users to the session allowlist, so the check passes once approval is granted. (#388)
+- **hono 4.12.18 → 4.12.21** picks up four upstream security fixes: GHSA-2gcr-mfcq-wcc3 (`app.mount()` stripped the mount prefix from the raw, undecoded pathname, so percent-encoded paths could be cut at the wrong offset and reach a sub-app with the wrong path), GHSA-xrhx-7g5j-rcj5 (`hono/ip-restriction` compared IPs by string equality, so non-canonical IPv6 forms such as compressed or hex IPv4-mapped addresses slipped past static deny rules), GHSA-3hrh-pfw6-9m5x (the cookie helper didn't sanitize `sameSite`/`priority`, allowing Set-Cookie injection via `;`, `\r`, `\n`), and GHSA-f577-qrjj-4474 (`hono/jwt` accepted any two-part Authorization header regardless of scheme, not just `Bearer`). claude-threads reaches hono through `@hono/node-server` on the inbound webhook surface, so the mount-prefix and Set-Cookie fixes are the relevant ones. (#386)
+
+### Changed
+- **Production deps** bumped: `@hono/node-server` 2.0.2 → 2.0.3 (preserves headers mutated after raw Response construction), `express-rate-limit` 8.5.1 → 8.5.2 (simplified IPv6 key generation). Lockfile-only. (#386)
+- **Dev deps** bumped: `@types/bun` 1.3.13 → 1.3.14, `@types/node` 25.7.0 → 25.9.1, `@types/react` 19.2.14 → 19.2.15, `eslint` 10.3.0 → 10.4.0 (adds `includeIgnoreFile()` and a `for-direction` sequence-expression check, both additive), `lint-staged` 17.0.4 → 17.0.5, `typescript-eslint` 8.59.3 → 8.59.4 (fixes a `no-floating-promises` stack overflow on recursive types). Lockfile-only. (#385)
+
+### Fixed
+- **Multiple pasted screenshots no longer silently vanish.** When you paste several clipboard images into one chat message, the platforms hand them all the same filename (`image.png`). The save path wrote each one with the `wx` (`O_EXCL`) flag, so the second and later files hit `EEXIST`, got caught, and were reported as a download failure, so they never reached Claude. Saves now dedupe filenames within a single message, inserting a numeric suffix before the extension (`image.png`, `image_1.png`, `image_2.png`); files without an extension get `report`, `report_1`, and so on. The unique name is resolved before the write, so the `wx` flag still does its job against symlink races. (#387)
+- **Inbound attachments are no longer capped at 100 MB.** A hard 100 MB ceiling on incoming files meant anything larger was skipped with a "too large" warning, which surprised people sharing big assets. The cap is gone; an attachment of any reported size is downloaded and written to disk. One tradeoff worth knowing: `downloadFile` still buffers the whole file in memory via `arrayBuffer()`, so a very large attachment is held in RAM while it's written. Streaming that download is a separate change. (#387)
+
+## [1.16.0] - 2026-05-14
+
+### Added
+- **Per-platform channel-verbosity controls.** New `sessionHeader` and `stickyMessage` settings, both `full` (default) / `minimal` (one-line status bar) / `hidden` (no post). Reachable three ways: setup wizard ("How verbose should the bot be in this channel?"), CLI flags (`--session-header`, `--sticky-message`, applied to every platform), or per-platform YAML for split values. `hidden` for the header means Claude's reply is the first message in the thread; `hidden` for the sticky stops the `channel_post` bump entirely. Update notices still ride along in `minimal`. Session-header mode persists per session — resume preserves the user's choice. Old `sessions.json` defaults to `full`. The pre-existing top-level `stickyMessage: { description, footer }` block is unchanged. (#384, closes #383)
+
+### Security
+- **`ws` 8.20.0 → 8.20.1** picks up a fix for an uninitialized memory disclosure in `websocket.close()`. Triggered when a `TypedArray` (e.g. `Float32Array`) is passed as the `reason` argument instead of a string or `Buffer` — uninitialized memory was leaked to the remote peer. claude-threads doesn't pass typed arrays to `close()` anywhere we control, but the Mattermost client and inbound webhook surface use `ws` as a transitive dependency. (#382)
+
+### Changed
+- **Production deps** bumped: `@hono/node-server` 2.0.1 → 2.0.2 (serve-static fixes), `react` 19.2.5 → 19.2.6 (RSC type hardening), `semver` 7.7.4 → 7.8.0 (new `truncate` function), `ink-scroll-view` 0.3.6 → 0.3.7. Lockfile-only. (#382)
+- **Dev deps** bumped: `@types/node` 25.6.0 → 25.7.0, `lint-staged` 16.4.0 → 17.0.4, `typescript-eslint` 8.59.2 → 8.59.3. lint-staged 17 drops Node 20 support, but it's a dev dep — the bot's runtime floor is unchanged. Lockfile-only. (#381)
+
 ## [1.15.2] - 2026-05-06
 
 ### Security

package/dist/index.js

@@ -48344,6 +48344,18 @@ var jsYaml = {
 };
 
 // src/config/types.ts
+var OVERHEAD_VISIBILITY_VALUES = ["full", "minimal", "hidden"];
+var DEFAULT_OVERHEAD_VISIBILITY = "full";
+function isOverheadVisibility(value) {
+  return typeof value === "string" && OVERHEAD_VISIBILITY_VALUES.includes(value);
+}
+function resolveOverheadVisibility(value, fieldPath) {
+  if (value === undefined || value === null)
+    return DEFAULT_OVERHEAD_VISIBILITY;
+  if (isOverheadVisibility(value))
+    return value;
+  throw new Error(`Invalid ${fieldPath}: expected one of ${OVERHEAD_VISIBILITY_VALUES.join(", ")}, got ${JSON.stringify(value)}`);
+}
 var LIMITS_DEFAULTS = {
   maxSessions: 5,
   sessionTimeoutMinutes: 30,
@@ -48648,6 +48660,26 @@ var PERMISSION_MODE_CHOICES = [
 function permissionModeChoiceIndex(mode) {
   return PERMISSION_MODE_CHOICES.findIndex((c) => c.value === mode);
 }
+var OVERHEAD_VISIBILITY_CHOICES = [
+  {
+    title: "Full (default)",
+    value: "full",
+    description: "Per-thread session header + channel sticky with active-sessions list"
+  },
+  {
+    title: "Minimal",
+    value: "minimal",
+    description: "One-line status bar only — drops the table and sessions list"
+  },
+  {
+    title: "Hidden",
+    value: "hidden",
+    description: "No header post, no sticky — Claude's reply is the first message in the thread"
+  }
+];
+function overheadVisibilityChoiceIndex(mode) {
+  return OVERHEAD_VISIBILITY_CHOICES.findIndex((c) => c.value === mode);
+}
 var __dirname2 = dirname2(fileURLToPath(import.meta.url));
 var SLACK_MANIFEST_PATH = join2(__dirname2, "..", "docs", "slack-app-manifest.yaml");
 var onCancel = () => {
@@ -49417,6 +49449,10 @@ async function setupMattermostPlatform(id, existing) {
     permissionMode: existingMattermost.permissionMode,
     skipPermissions: existingMattermost.skipPermissions
   }) : "auto";
+  const existingHeader = existingMattermost?.sessionHeader;
+  const existingSticky = existingMattermost?.stickyMessage;
+  const hasSplitVerbosity = existingHeader !== undefined && existingSticky !== undefined && existingHeader !== existingSticky;
+  let lastChannelVerbosity = existingHeader ?? existingSticky ?? DEFAULT_OVERHEAD_VISIBILITY;
   while (true) {
     console.log("");
     console.log(dim("  Now enter your Mattermost credentials:"));
@@ -49521,6 +49557,20 @@ async function setupMattermostPlatform(id, existing) {
       choices: PERMISSION_MODE_CHOICES,
       initial: permissionModeChoiceIndex(lastPermissionMode)
     }, { onCancel });
+    let channelVerbosity = lastChannelVerbosity;
+    if (hasSplitVerbosity) {
+      console.log("");
+      console.log(dim(`  Channel verbosity: keeping split values from current config ` + `(sessionHeader=${existingHeader}, stickyMessage=${existingSticky}). ` + `Edit YAML directly to change.`));
+    } else {
+      const result = await import_prompts.default({
+        type: "select",
+        name: "channelVerbosity",
+        message: "How verbose should the bot be in this channel?",
+        choices: OVERHEAD_VISIBILITY_CHOICES,
+        initial: overheadVisibilityChoiceIndex(lastChannelVerbosity)
+      }, { onCancel });
+      channelVerbosity = result.channelVerbosity;
+    }
     lastUrl = basicSettings.url;
     lastDisplayName = basicSettings.displayName;
     lastToken = finalToken;
@@ -49528,6 +49578,7 @@ async function setupMattermostPlatform(id, existing) {
     lastBotName = basicSettings.botName;
     lastAllowedUsers = allowedUsers.join(",");
     lastPermissionMode = permissionMode;
+    lastChannelVerbosity = channelVerbosity;
     console.log("");
     console.log(dim("  Validating credentials..."));
     const validationResult = await validateMattermostCredentials(basicSettings.url, finalToken, basicSettings.channelId);
@@ -49586,7 +49637,8 @@ async function setupMattermostPlatform(id, existing) {
       channelId: basicSettings.channelId,
       botName: basicSettings.botName,
       allowedUsers,
-      permissionMode: lastPermissionMode
+      permissionMode: lastPermissionMode,
+      ...hasSplitVerbosity ? { sessionHeader: existingHeader, stickyMessage: existingSticky } : lastChannelVerbosity !== DEFAULT_OVERHEAD_VISIBILITY ? { sessionHeader: lastChannelVerbosity, stickyMessage: lastChannelVerbosity } : {}
     };
   }
 }
@@ -49703,6 +49755,10 @@ async function setupSlackPlatform(id, existing) {
     permissionMode: existingSlack.permissionMode,
     skipPermissions: existingSlack.skipPermissions
   }) : "auto";
+  const existingHeader = existingSlack?.sessionHeader;
+  const existingSticky = existingSlack?.stickyMessage;
+  const hasSplitVerbosity = existingHeader !== undefined && existingSticky !== undefined && existingHeader !== existingSticky;
+  let lastChannelVerbosity = existingHeader ?? existingSticky ?? DEFAULT_OVERHEAD_VISIBILITY;
   while (true) {
     console.log("");
     console.log(dim("  Now enter your Slack credentials:"));
@@ -49818,6 +49874,20 @@ async function setupSlackPlatform(id, existing) {
       choices: PERMISSION_MODE_CHOICES,
       initial: permissionModeChoiceIndex(lastPermissionMode)
     }, { onCancel });
+    let channelVerbosity = lastChannelVerbosity;
+    if (hasSplitVerbosity) {
+      console.log("");
+      console.log(dim(`  Channel verbosity: keeping split values from current config ` + `(sessionHeader=${existingHeader}, stickyMessage=${existingSticky}). ` + `Edit YAML directly to change.`));
+    } else {
+      const result = await import_prompts.default({
+        type: "select",
+        name: "channelVerbosity",
+        message: "How verbose should the bot be in this channel?",
+        choices: OVERHEAD_VISIBILITY_CHOICES,
+        initial: overheadVisibilityChoiceIndex(lastChannelVerbosity)
+      }, { onCancel });
+      channelVerbosity = result.channelVerbosity;
+    }
     lastDisplayName = basicSettings.displayName;
     lastBotToken = finalBotToken;
     lastAppToken = finalAppToken;
@@ -49825,6 +49895,7 @@ async function setupSlackPlatform(id, existing) {
     lastBotName = basicSettings.botName;
     lastAllowedUsers = allowedUsers.join(",");
     lastPermissionMode = permissionMode;
+    lastChannelVerbosity = channelVerbosity;
     console.log("");
     console.log(dim("  Validating credentials..."));
     const validationResult = await validateSlackCredentials(finalBotToken, finalAppToken, basicSettings.channelId);
@@ -49889,7 +49960,8 @@ async function setupSlackPlatform(id, existing) {
       channelId: basicSettings.channelId,
       botName: basicSettings.botName,
       allowedUsers,
-      permissionMode: lastPermissionMode
+      permissionMode: lastPermissionMode,
+      ...hasSplitVerbosity ? { sessionHeader: existingHeader, stickyMessage: existingSticky } : lastChannelVerbosity !== DEFAULT_OVERHEAD_VISIBILITY ? { sessionHeader: lastChannelVerbosity, stickyMessage: lastChannelVerbosity } : {}
     };
   }
 }
@@ -50283,6 +50355,24 @@ function sanitizeFilename(name) {
   }
   return cleaned;
 }
+function dedupeFilename(name, used) {
+  if (!used.has(name)) {
+    used.add(name);
+    return name;
+  }
+  const lastDot = name.lastIndexOf(".");
+  const hasExt = lastDot > 0;
+  const stem = hasExt ? name.slice(0, lastDot) : name;
+  const ext = hasExt ? name.slice(lastDot) : "";
+  let counter = 1;
+  let candidate = `${stem}_${counter}${ext}`;
+  while (used.has(candidate)) {
+    counter += 1;
+    candidate = `${stem}_${counter}${ext}`;
+  }
+  used.add(candidate);
+  return candidate;
+}
 function formatBytes(bytes) {
   if (bytes < 1024)
     return `${bytes} B`;
@@ -53513,6 +53603,18 @@ function getSessionStatus(session) {
   return "idle";
 }
 
+// src/session/authorization.ts
+function isAuthorizedForSession(check) {
+  const { username, platform, sessionAllowedUsers } = check;
+  if (!username || username === "unknown") {
+    return false;
+  }
+  if (platform.isUserAllowed(username)) {
+    return true;
+  }
+  return sessionAllowedUsers?.has(username) ?? false;
+}
+
 // src/claude/cli.ts
 init_spawn();
 init_logger();
@@ -54746,7 +54848,7 @@ function createPassthroughHandler(slashCommand) {
       return { handled: false };
     }
     if (ctx.isAllowed) {
-      await ctx.sessionManager.sendFollowUp(ctx.threadId, `/${slashCommand}`);
+      await ctx.sessionManager.sendFollowUp(ctx.threadId, `/${slashCommand}`, undefined, undefined, undefined, { system: true });
     }
     return { handled: true };
   };
@@ -54794,7 +54896,7 @@ async function handleDynamicSlashCommand(command, args, ctx) {
   }
   if (ctx.isAllowed) {
     const fullCommand = args ? `/${command} ${args}` : `/${command}`;
-    await ctx.sessionManager.sendFollowUp(ctx.threadId, fullCommand);
+    await ctx.sessionManager.sendFollowUp(ctx.threadId, fullCommand, undefined, undefined, undefined, { system: true });
   }
   return { handled: true };
 }
@@ -55315,7 +55417,6 @@ import { lstat, mkdir as mkdir2, mkdtemp, rm as rm2, writeFile as writeFile2 } f
 import { tmpdir as tmpdir2 } from "os";
 import { join as join9 } from "path";
 var log18 = createLogger("streaming");
-var MAX_UPLOAD_SIZE = 100 * 1024 * 1024;
 var UPLOAD_ROOT_DIR = "claude-threads-uploads";
 function safeIdSegment(id) {
   return id.replace(/[^A-Za-z0-9._-]/g, "_");
@@ -55355,18 +55456,11 @@ async function saveFilesToUploadDir(platform, uploadDir, files, debug = false) {
     return { saved, skipped };
   }
   const messageDir = await mkdtemp(join9(uploadDir, `${Date.now().toString(36)}-`));
+  const usedNames = new Set;
   for (const file of files) {
-    if (file.size > MAX_UPLOAD_SIZE) {
-      skipped.push({
-        name: file.name,
-        reason: `File too large (${formatBytes(file.size)} > ${formatBytes(MAX_UPLOAD_SIZE)} limit)`,
-        suggestion: "Split the file or share it via an external link"
-      });
-      continue;
-    }
     try {
       const buffer = await platform.downloadFile(file.id);
-      const safeName = sanitizeFilename(file.name);
+      const safeName = dedupeFilename(sanitizeFilename(file.name), usedNames);
       const absolutePath = join9(messageDir, safeName);
       await writeFile2(absolutePath, buffer, { mode: 384, flag: "wx" });
       saved.push({
@@ -63980,6 +64074,13 @@ async function buildStickyMessage(sessions, platformId, config, formatter, getTh
   const otherPlatformSessions = allSessions.filter((s) => s.platformId !== platformId);
   const totalCount = allSessions.length;
   const statusBar = await buildStatusBar(totalCount, config, formatter, platformId);
+  if (config.overhead === "minimal") {
+    return [
+      formatter.formatHorizontalRule(),
+      statusBar
+    ].join(`
+`);
+  }
   const activeSessionIds = new Set(sessions.keys());
   const historySessions = sessionStore ? sessionStore.getHistory(platformId, activeSessionIds).slice(0, 5) : [];
   if (totalCount === 0) {
@@ -64119,7 +64220,35 @@ async function validateLastMessageIds(platform, sessions) {
   });
   await Promise.all(validationPromises);
 }
+var hiddenCleanupDone = new Set;
+function clearHiddenCleanupTracking(platformId) {
+  hiddenCleanupDone.delete(platformId);
+}
 async function updateStickyMessageImpl(platform, sessions, config) {
+  if (config.overhead === "hidden") {
+    if (!hiddenCleanupDone.has(platform.platformId)) {
+      hiddenCleanupDone.add(platform.platformId);
+      const existing = stickyPostIds.get(platform.platformId);
+      if (existing) {
+        log21.info(`sticky[${platform.platformId}] hidden mode: removing leftover ${formatShortId(existing)}`);
+        try {
+          await platform.unpinPost(existing);
+        } catch {}
+        try {
+          await platform.deletePost(existing);
+        } catch {}
+        stickyPostIds.delete(platform.platformId);
+        if (sessionStore) {
+          sessionStore.removeStickyPostId(platform.platformId);
+        }
+      }
+      try {
+        const botUser = await platform.getBotUser();
+        cleanupOldStickyMessages(platform, botUser.id, false, new Set).catch(() => {});
+      } catch {}
+    }
+    return;
+  }
   const platformSessions = [...sessions.values()].filter((s) => s.platformId === platform.platformId);
   log21.debug(`updateStickyMessage for ${platform.platformId}, ${platformSessions.length} sessions`);
   for (const s of platformSessions) {
@@ -64199,8 +64328,11 @@ async function updateStickyMessageImpl(platform, sessions, config) {
     log21.error(`Failed to update sticky message for ${platform.platformId}`, err instanceof Error ? err : undefined);
   }
 }
-async function updateAllStickyMessages(platforms, sessions, config) {
-  const updates = [...platforms.values()].map((platform) => updateStickyMessage(platform, sessions, config));
+async function updateAllStickyMessages(platforms, sessions, config, overheadByPlatform) {
+  const updates = [...platforms.values()].map((platform) => {
+    const overhead = overheadByPlatform?.get(platform.platformId) ?? config.overhead;
+    return updateStickyMessage(platform, sessions, { ...config, overhead });
+  });
   await Promise.all(updates);
 }
 function markNeedsBump(platformId) {
@@ -65986,49 +66118,62 @@ async function requestMessageApproval(session, username, message, ctx) {
     fromUser: username
   });
 }
-async function updateSessionHeader(session, ctx) {
-  if (!session.sessionStartPostId)
-    return;
+async function buildSessionHeaderStatusBar(session, ctx) {
   const formatter = session.platform.getFormatter();
-  const worktreeContext = session.worktreeInfo ? { path: session.worktreeInfo.worktreePath, branch: session.worktreeInfo.branch } : undefined;
-  const shortDir = shortenPath(session.workingDir, undefined, worktreeContext);
   const effectiveMode = effectivePermissionMode({
     override: session.permissionModeOverride,
     sessionHasInteractiveOverride: session.forceInteractivePermissions,
     botWideMode: ctx.config.permissionMode
   });
   const permMode = permissionModeDisplay(effectiveMode).chip;
-  const otherParticipants = [...session.sessionAllowedUsers].filter((u) => u !== session.startedBy).map((u) => formatter.formatUserMention(u)).join(", ");
-  const statusItems = [];
-  const versionStr = formatVersionString();
-  statusItems.push(formatter.formatCode(versionStr));
+  const items = [];
+  items.push(formatter.formatCode(formatVersionString()));
   if (session.usageStats) {
     const stats = session.usageStats;
-    statusItems.push(formatter.formatCode(`\uD83E\uDD16 ${stats.modelDisplayName}`));
+    items.push(formatter.formatCode(`\uD83E\uDD16 ${stats.modelDisplayName}`));
     const contextPercent = Math.round(stats.contextTokens / stats.contextWindowSize * 100);
-    const contextBar = formatContextBar(contextPercent);
-    statusItems.push(formatter.formatCode(`${contextBar} ${contextPercent}%`));
-    statusItems.push(formatter.formatCode(`\uD83D\uDCB0 $${stats.totalCostUSD.toFixed(2)}`));
+    items.push(formatter.formatCode(`${formatContextBar(contextPercent)} ${contextPercent}%`));
+    items.push(formatter.formatCode(`\uD83D\uDCB0 $${stats.totalCostUSD.toFixed(2)}`));
   }
-  statusItems.push(formatter.formatCode(permMode));
+  items.push(formatter.formatCode(permMode));
   if (session.messageManager?.getPendingApproval()?.type === "plan") {
-    statusItems.push(formatter.formatCode("\uD83D\uDCCB Plan pending"));
+    items.push(formatter.formatCode("\uD83D\uDCCB Plan pending"));
   } else if (session.planApproved) {
-    statusItems.push(formatter.formatCode("\uD83D\uDD28 Implementing"));
+    items.push(formatter.formatCode("\uD83D\uDD28 Implementing"));
   }
   if (ctx.config.chromeEnabled) {
-    statusItems.push(formatter.formatCode("\uD83C\uDF10 Chrome"));
+    items.push(formatter.formatCode("\uD83C\uDF10 Chrome"));
   }
   if (keepAlive.isActive()) {
-    statusItems.push(formatter.formatCode("\uD83D\uDC93 Keep-alive"));
+    items.push(formatter.formatCode("\uD83D\uDC93 Keep-alive"));
   }
   const battery = await formatBatteryStatus();
   if (battery) {
-    statusItems.push(formatter.formatCode(battery));
+    items.push(formatter.formatCode(battery));
   }
-  const uptime = formatUptime(session.startedAt);
-  statusItems.push(formatter.formatCode(`⏱️ ${uptime}`));
-  const statusBar = statusItems.join(" · ");
+  items.push(formatter.formatCode(`⏱️ ${formatUptime(session.startedAt)}`));
+  return items.join(" · ");
+}
+async function updateSessionHeader(session, ctx) {
+  if (session.sessionHeaderMode === "hidden")
+    return;
+  if (!session.sessionStartPostId)
+    return;
+  const formatter = session.platform.getFormatter();
+  const statusBar = await buildSessionHeaderStatusBar(session, ctx);
+  const updateInfo = getUpdateInfo();
+  const updateNotice = updateInfo ? `> ⚠️ ${formatter.formatBold("Update available:")} v${updateInfo.current} → v${updateInfo.latest} - Run ${formatter.formatCode("bun install -g claude-threads")}
+
+` : undefined;
+  if (session.sessionHeaderMode === "minimal") {
+    const msg2 = [updateNotice, statusBar].filter(Boolean).join(`
+`);
+    await updatePost(session, session.sessionStartPostId, msg2);
+    return;
+  }
+  const worktreeContext = session.worktreeInfo ? { path: session.worktreeInfo.worktreePath, branch: session.worktreeInfo.branch } : undefined;
+  const shortDir = shortenPath(session.workingDir, undefined, worktreeContext);
+  const otherParticipants = [...session.sessionAllowedUsers].filter((u) => u !== session.startedBy).map((u) => formatter.formatUserMention(u)).join(", ");
   const items = [];
   if (session.sessionTitle) {
     items.push(["\uD83D\uDCDD", "Topic", session.sessionTitle]);
@@ -66074,10 +66219,6 @@ async function updateSessionHeader(session, ctx) {
   const logPath = getLogFilePath(session.platform.platformId, session.claudeSessionId);
   const shortLogPath = logPath.replace(process.env.HOME || "", "~");
   items.push(["\uD83D\uDCCB", "Log File", formatter.formatCode(shortLogPath)]);
-  const updateInfo = getUpdateInfo();
-  const updateNotice = updateInfo ? `> ⚠️ ${formatter.formatBold("Update available:")} v${updateInfo.current} → v${updateInfo.latest} - Run ${formatter.formatCode("bun install -g claude-threads")}
-
-` : undefined;
   const msg = [
     updateNotice,
     statusBar,
@@ -66085,8 +66226,7 @@ async function updateSessionHeader(session, ctx) {
     formatter.formatKeyValueList(items)
   ].filter((item) => item !== null && item !== undefined).join(`
 `);
-  const postId = session.sessionStartPostId;
-  await updatePost(session, postId, msg);
+  await updatePost(session, session.sessionStartPostId, msg);
 }
 async function showUpdateStatus(session, updateManager, ctx) {
   const formatter = session.platform.getFormatter();
@@ -66586,6 +66726,17 @@ function maybeInjectMetadataReminder(message, session, ctx, fullSession) {
   }
   return message;
 }
+function resumeSessionHeaderMode(persisted, platformConfigured) {
+  return persisted ?? platformConfigured ?? DEFAULT_OVERHEAD_VISIBILITY;
+}
+function resolveSessionHeaderMode(configured, replyToPostId, platformId) {
+  const mode = configured ?? DEFAULT_OVERHEAD_VISIBILITY;
+  if (mode === "hidden" && !replyToPostId) {
+    log30.error(`sessionHeader: hidden requires a replyToPostId for ${platformId}; ` + `downgrading this session to 'minimal' so the header post is still short.`);
+    return "minimal";
+  }
+  return mode;
+}
 async function startSession(options, username, displayName, replyToPostId, platformId, ctx, triggeringPostId, initialOptions) {
   const threadId = replyToPostId || "";
   const existingSessionId = ctx.ops.getSessionId(platformId, threadId);
@@ -66599,6 +66750,10 @@ async function startSession(options, username, displayName, replyToPostId, platf
   if (!platform) {
     throw new Error(`Platform '${platformId}' not found. Call addPlatform() first.`);
   }
+  if (!isAuthorizedForSession({ username, platform, sessionAllowedUsers: undefined })) {
+    log30.warn(`auth.denied.startSession: @${username || "unknown"} not authorized to start session in ${threadId.substring(0, 8)}...`);
+    return;
+  }
   const activeOrPending = ctx.state.sessions.size + pendingStartsCount;
   if (activeOrPending >= ctx.config.maxSessions) {
     const formatter2 = platform.getFormatter();
@@ -66611,13 +66766,18 @@ async function startSession(options, username, displayName, replyToPostId, platf
     return;
   }
   pendingStartsCount++;
+  const sessionHeaderMode = resolveSessionHeaderMode(ctx.ops.getPlatformOverhead(platformId).sessionHeader, replyToPostId, platformId);
   const startFormatter = platform.getFormatter();
-  const startPost = await withErrorHandling(() => platform.createPost(startFormatter.formatItalic("Claude Threads session starting..."), replyToPostId), { action: "Create session post" });
-  if (!startPost) {
-    releasePendingStart();
-    return;
+  const skipHeaderPost = sessionHeaderMode === "hidden";
+  let startPost;
+  if (!skipHeaderPost) {
+    startPost = await withErrorHandling(() => platform.createPost(startFormatter.formatItalic("Claude Threads session starting..."), replyToPostId), { action: "Create session post" });
+    if (!startPost) {
+      releasePendingStart();
+      return;
+    }
   }
-  const actualThreadId = replyToPostId || startPost.id;
+  const actualThreadId = replyToPostId || (startPost ? startPost.id : "");
   const sessionId = ctx.ops.getSessionId(platformId, actualThreadId);
   platform.sendTyping(actualThreadId);
   const claudeSessionId = randomUUID4();
@@ -66631,13 +66791,23 @@ async function startSession(options, username, displayName, replyToPostId, platf
     const requestedDir = initialOptions.workingDir.startsWith("~") ? initialOptions.workingDir.replace("~", process.env.HOME || "") : initialOptions.workingDir;
     const resolvedDir = resolve6(requestedDir);
     if (!existsSync12(resolvedDir)) {
-      await platform.updatePost(startPost.id, `❌ Directory does not exist: ${formatter.formatCode(initialOptions.workingDir)}`);
+      const msg = `❌ Directory does not exist: ${formatter.formatCode(initialOptions.workingDir)}`;
+      if (startPost) {
+        await platform.updatePost(startPost.id, msg);
+      } else {
+        await platform.createPost(msg, replyToPostId);
+      }
       releasePendingStart();
       return;
     }
     const { statSync: statSync4 } = await import("fs");
     if (!statSync4(resolvedDir).isDirectory()) {
-      await platform.updatePost(startPost.id, `❌ Not a directory: ${formatter.formatCode(initialOptions.workingDir)}`);
+      const msg = `❌ Not a directory: ${formatter.formatCode(initialOptions.workingDir)}`;
+      if (startPost) {
+        await platform.updatePost(startPost.id, msg);
+      } else {
+        await platform.createPost(msg, replyToPostId);
+      }
       releasePendingStart();
       return;
     }
@@ -66695,7 +66865,8 @@ async function startSession(options, username, displayName, replyToPostId, platf
     sessionAllowedUsers: new Set([username]),
     forceInteractivePermissions,
     permissionModeOverride: sessionPermissionModeOverride,
-    sessionStartPostId: startPost.id,
+    sessionStartPostId: startPost ? startPost.id : null,
+    sessionHeaderMode,
     timers: createSessionTimers(),
     lifecycle: createSessionLifecycle(),
     timeoutWarningPosted: false,
@@ -66714,7 +66885,9 @@ async function startSession(options, username, displayName, replyToPostId, platf
   });
   mutableSessions(ctx).set(sessionId, session);
   releasePendingStart();
-  ctx.ops.registerPost(startPost.id, actualThreadId);
+  if (startPost) {
+    ctx.ops.registerPost(startPost.id, actualThreadId);
+  }
   ctx.ops.emitSessionAdd(session);
   sessionLog6(session).info(`▶ Session started by @${username}`);
   fireMetadataSuggestions(session, options.prompt, ctx);
@@ -66847,6 +67020,7 @@ Please start a new session.`), { action: "Post resume failure notification" });
     sessionAllowedUsers: new Set(state.sessionAllowedUsers),
     forceInteractivePermissions: state.forceInteractivePermissions ?? false,
     sessionStartPostId: state.sessionStartPostId ?? null,
+    sessionHeaderMode: resumeSessionHeaderMode(state.sessionHeaderMode, ctx.ops.getPlatformOverhead(platformId).sessionHeader),
     timers: createSessionTimers(),
     lifecycle: createResumedLifecycle(state.resumeFailCount ?? 0),
     timeoutWarningPosted: false,
@@ -66947,9 +67121,15 @@ ${failFormatter.formatItalic("Your previous conversation context is preserved, b
     await ctx.ops.updateStickyMessage();
   }
 }
-async function sendFollowUp(session, message, files, ctx, username, displayName) {
+async function sendFollowUp(session, message, files, ctx, username, displayName, options) {
   if (!session.claude.isRunning())
     return;
+  if (!options?.system) {
+    if (!isAuthorizedForSession({ username, platform: session.platform, sessionAllowedUsers: session.sessionAllowedUsers })) {
+      sessionLog6(session).warn(`auth.denied.sendFollowUp: @${username || "unknown"} not authorized`);
+      return;
+    }
+  }
   if (session.needsContextPromptOnNextMessage) {
     session.needsContextPromptOnNextMessage = false;
     await session.messageManager?.prepareForUserMessage();
@@ -66972,7 +67152,7 @@ async function sendFollowUp(session, message, files, ctx, username, displayName)
   session.messageCount++;
   await session.messageManager.handleUserMessage(messageToSend, files, username, displayName);
 }
-async function resumePausedSession(threadId, message, files, ctx) {
+async function resumePausedSession(threadId, message, files, ctx, username) {
   const persisted = ctx.state.sessionStore.load();
   const state = findPersistedByThreadId(persisted, threadId);
   if (!state) {
@@ -66980,6 +67160,16 @@ async function resumePausedSession(threadId, message, files, ctx) {
     return;
   }
   const shortId = threadId.substring(0, 8);
+  const platform = ctx.state.platforms.get(state.platformId);
+  if (!platform) {
+    log30.warn(`auth.denied.resume: platform '${state.platformId}' not found for ${shortId}...`);
+    return;
+  }
+  const sessionAllowedUsers = new Set(state.sessionAllowedUsers || [state.startedBy].filter(Boolean));
+  if (!isAuthorizedForSession({ username, platform, sessionAllowedUsers })) {
+    log30.warn(`auth.denied.resume: @${username || "unknown"} not authorized to resume ${shortId}...`);
+    return;
+  }
   log30.info(`\uD83D\uDD04 Resuming paused session ${shortId}... for new message`);
   await resumeSession(state, ctx);
   const session = ctx.ops.findSessionByThreadId(threadId);
@@ -67497,9 +67687,9 @@ async function tryResumeFromReaction(deps, platformId, postId, username) {
   const sessionId = `${platformId}:${persistedSession.threadId}`;
   if (deps.registry.hasById(sessionId))
     return false;
-  const allowedUsers = new Set(persistedSession.sessionAllowedUsers);
   const platform = deps.platforms.get(platformId);
-  if (!allowedUsers.has(username) && !platform?.isUserAllowed(username)) {
+  const sessionAllowedUsers = new Set(persistedSession.sessionAllowedUsers || [persistedSession.startedBy].filter(Boolean));
+  if (!platform || !isAuthorizedForSession({ username, platform, sessionAllowedUsers })) {
     if (platform) {
       await platform.createPost(`⚠️ @${username} is not authorized to resume this session`, persistedSession.threadId);
     }
@@ -67581,6 +67771,7 @@ class SessionManager extends EventEmitter4 {
   isShuttingDown = false;
   customDescription;
   customFooter;
+  platformOverhead = new Map;
   autoUpdateManager = null;
   accountPool;
   constructor(workingDir, permissionModeOrSkipFlag = "default", chromeEnabled = false, worktreeMode = "prompt", sessionsPath, threadLogsEnabled = true, threadLogsRetentionDays = 30, limits, claudeAccounts) {
@@ -67612,8 +67803,12 @@ class SessionManager extends EventEmitter4 {
       cleanupWorktrees: this.limits.cleanupWorktrees
     });
   }
-  addPlatform(platformId, client) {
+  addPlatform(platformId, client, overhead) {
     this.platforms.set(platformId, client);
+    this.platformOverhead.set(platformId, {
+      sessionHeader: overhead?.sessionHeader ?? DEFAULT_OVERHEAD_VISIBILITY,
+      stickyMessage: overhead?.stickyMessage ?? DEFAULT_OVERHEAD_VISIBILITY
+    });
     client.on("message", (post2, user) => this.handleMessage(platformId, post2, user));
     client.on("reaction", (reaction, user) => {
       if (user) {
@@ -67626,6 +67821,9 @@ class SessionManager extends EventEmitter4 {
       }
     });
     client.on("channel_post", () => {
+      if (this.platformOverhead.get(platformId)?.stickyMessage === "hidden") {
+        return;
+      }
       markNeedsBump(platformId);
       this.updateStickyMessage();
     });
@@ -67633,6 +67831,8 @@ class SessionManager extends EventEmitter4 {
   }
   removePlatform(platformId) {
     this.platforms.delete(platformId);
+    this.platformOverhead.delete(platformId);
+    clearHiddenCleanupTracking(platformId);
   }
   setAutoUpdateManager(manager) {
     this.autoUpdateManager = manager;
@@ -67718,7 +67918,11 @@ class SessionManager extends EventEmitter4 {
       getClaudeAccount: (id) => this.accountPool.get(id),
       releaseClaudeAccount: (id) => this.accountPool.release(id),
       markClaudeAccountCooling: (id, untilMs) => this.accountPool.markCooling(id, untilMs),
-      getClaudeAccountPoolStatus: () => this.accountPool.status()
+      getClaudeAccountPoolStatus: () => this.accountPool.status(),
+      getPlatformOverhead: (pid) => this.platformOverhead.get(pid) ?? {
+        sessionHeader: DEFAULT_OVERHEAD_VISIBILITY,
+        stickyMessage: DEFAULT_OVERHEAD_VISIBILITY
+      }
     };
     return createSessionContext(config, state, ops);
   }
@@ -67878,7 +68082,8 @@ class SessionManager extends EventEmitter4 {
       pullRequestUrl: session.pullRequestUrl,
       messageCount: session.messageCount,
       resumeFailCount: session.lifecycle.resumeFailCount,
-      claudeAccountId: session.claudeAccountId
+      claudeAccountId: session.claudeAccountId,
+      sessionHeaderMode: session.sessionHeaderMode
     };
     this.sessionStore.save(session.sessionId, state);
   }
@@ -67895,6 +68100,10 @@ class SessionManager extends EventEmitter4 {
     });
   }
   async updateStickyMessage() {
+    const overheadByPlatform = new Map;
+    for (const [platformId, overhead] of this.platformOverhead) {
+      overheadByPlatform.set(platformId, overhead.stickyMessage);
+    }
     await updateAllStickyMessages(this.platforms, this.registry.getSessions(), {
       maxSessions: this.limits.maxSessions,
       chromeEnabled: this.chromeEnabled,
@@ -67905,7 +68114,7 @@ class SessionManager extends EventEmitter4 {
       description: this.customDescription,
       footer: this.customFooter,
       accountPoolStatus: this.accountPool.isEmpty ? undefined : this.accountPool.status()
-    });
+    }, overheadByPlatform);
   }
   async updateAllStickyMessages() {
     await this.updateStickyMessage();
@@ -68066,11 +68275,11 @@ class SessionManager extends EventEmitter4 {
     }
     return;
   }
-  async sendFollowUp(threadId, message, files, username, displayName) {
+  async sendFollowUp(threadId, message, files, username, displayName, options) {
     const session = this.findSessionByThreadId(threadId);
     if (!session || !session.claude.isRunning())
       return;
-    await sendFollowUp(session, message, files, this.getContext(), username, displayName);
+    await sendFollowUp(session, message, files, this.getContext(), username, displayName, options);
   }
   isSessionActive() {
     return this.registry.size > 0;
@@ -68084,8 +68293,8 @@ class SessionManager extends EventEmitter4 {
       return false;
     return this.registry.getPersistedByThreadId(threadId) !== undefined;
   }
-  async resumePausedSession(threadId, message, files) {
-    await resumePausedSession(threadId, message, files, this.getContext());
+  async resumePausedSession(threadId, message, files, username) {
+    await resumePausedSession(threadId, message, files, this.getContext(), username);
   }
   getPersistedSession(threadId) {
     return this.registry.getPersistedByThreadId(threadId);
@@ -78138,7 +78347,7 @@ async function handleMessage(client, session, post2, user, options) {
       }
       const files2 = post2.metadata?.files;
       if (content || files2?.length) {
-        await session.resumePausedSession(threadRoot, content, files2);
+        await session.resumePausedSession(threadRoot, content, files2, username);
       }
       return;
     }
@@ -79149,7 +79358,7 @@ function wirePlatformEvents(platformId, client, session, ui) {
     ui.addLog({ level: "error", component: platformId, message });
   });
 }
-program.name("claude-threads").version(VERSION).description("Share Claude Code sessions in Mattermost").option("--url <url>", "Mattermost server URL").option("--token <token>", "Mattermost bot token").option("--channel <id>", "Mattermost channel ID").option("--bot-name <name>", "Bot mention name (default: claude-code)").option("--allowed-users <users>", "Comma-separated allowed usernames").option("--permission-mode <mode>", "Permission mode: default | auto | bypass (default: from config)").option("--skip-permissions", "[deprecated] Alias for --permission-mode bypass").option("--no-skip-permissions", "[deprecated] Alias for --permission-mode default").option("--chrome", "Enable Claude in Chrome integration").option("--no-chrome", "Disable Claude in Chrome integration").option("--worktree-mode <mode>", "Git worktree mode: off, prompt, require (default: prompt)").option("--keep-alive", "Enable system sleep prevention (default: enabled)").option("--no-keep-alive", "Disable system sleep prevention").option("--setup", "Run interactive setup wizard (reconfigure existing settings)").option("--debug", "Enable debug logging").option("--skip-version-check", "Skip Claude CLI version compatibility check").option("--auto-restart", "Enable auto-restart on updates (default when autoUpdate enabled)").option("--no-auto-restart", "Disable auto-restart on updates").option("--headless", "Run without interactive UI (logs to stdout)").parse();
+program.name("claude-threads").version(VERSION).description("Share Claude Code sessions in Mattermost").option("--url <url>", "Mattermost server URL").option("--token <token>", "Mattermost bot token").option("--channel <id>", "Mattermost channel ID").option("--bot-name <name>", "Bot mention name (default: claude-code)").option("--allowed-users <users>", "Comma-separated allowed usernames").option("--permission-mode <mode>", "Permission mode: default | auto | bypass (default: from config)").option("--skip-permissions", "[deprecated] Alias for --permission-mode bypass").option("--no-skip-permissions", "[deprecated] Alias for --permission-mode default").option("--chrome", "Enable Claude in Chrome integration").option("--no-chrome", "Disable Claude in Chrome integration").option("--worktree-mode <mode>", "Git worktree mode: off, prompt, require (default: prompt)").option("--session-header <mode>", "Per-thread session header: full | minimal | hidden. Overrides per-platform config.").option("--sticky-message <mode>", "Channel sticky message: full | minimal | hidden. Overrides per-platform config.").option("--keep-alive", "Enable system sleep prevention (default: enabled)").option("--no-keep-alive", "Disable system sleep prevention").option("--setup", "Run interactive setup wizard (reconfigure existing settings)").option("--debug", "Enable debug logging").option("--skip-version-check", "Skip Claude CLI version compatibility check").option("--auto-restart", "Enable auto-restart on updates (default when autoUpdate enabled)").option("--no-auto-restart", "Disable auto-restart on updates").option("--headless", "Run without interactive UI (logs to stdout)").parse();
 var opts = program.opts();
 var forcedInteractive = !!process.env.CLAUDE_THREADS_INTERACTIVE;
 var isHeadless = opts.headless || !forcedInteractive && (!process.stdout.isTTY || !process.stdin.isTTY);
@@ -79237,6 +79446,14 @@ async function startWithoutDaemon() {
     console.error(red(`  ❌ Invalid --permission-mode: "${opts.permissionMode}". Must be one of: default, auto, bypass.`));
     process.exit(1);
   }
+  if (opts.sessionHeader !== undefined && !isOverheadVisibility(opts.sessionHeader)) {
+    console.error(red(`  ❌ Invalid --session-header: "${opts.sessionHeader}". Must be one of: ${OVERHEAD_VISIBILITY_VALUES.join(", ")}.`));
+    process.exit(1);
+  }
+  if (opts.stickyMessage !== undefined && !isOverheadVisibility(opts.stickyMessage)) {
+    console.error(red(`  ❌ Invalid --sticky-message: "${opts.stickyMessage}". Must be one of: ${OVERHEAD_VISIBILITY_VALUES.join(", ")}.`));
+    process.exit(1);
+  }
   const cliArgs = {
     url: opts.url,
     token: opts.token,
@@ -79247,7 +79464,9 @@ async function startWithoutDaemon() {
     permissionMode: opts.permissionMode,
     chrome: opts.chrome,
     worktreeMode: opts.worktreeMode,
-    keepAlive: opts.keepAlive
+    keepAlive: opts.keepAlive,
+    sessionHeader: opts.sessionHeader,
+    stickyMessage: opts.stickyMessage
   };
   if (opts.setup) {
     await runOnboarding(true);
@@ -79268,6 +79487,16 @@ async function startWithoutDaemon() {
   if (cliArgs.keepAlive !== undefined) {
     newConfig.keepAlive = cliArgs.keepAlive;
   }
+  if (cliArgs.sessionHeader !== undefined) {
+    for (const p of newConfig.platforms) {
+      p.sessionHeader = cliArgs.sessionHeader;
+    }
+  }
+  if (cliArgs.stickyMessage !== undefined) {
+    for (const p of newConfig.platforms) {
+      p.stickyMessage = cliArgs.stickyMessage;
+    }
+  }
   const keepAliveEnabled = newConfig.keepAlive !== false;
   if (!newConfig.platforms || newConfig.platforms.length === 0) {
     throw new Error("No platforms configured. Run with --setup to configure.");
@@ -79441,7 +79670,10 @@ async function startWithoutDaemon() {
     });
     const client = createPlatformClient(platformConfig);
     platforms.set(platformConfig.id, client);
-    session.addPlatform(platformConfig.id, client);
+    session.addPlatform(platformConfig.id, client, {
+      sessionHeader: resolveOverheadVisibility(platformConfig.sessionHeader, `platforms[${platformConfig.id}].sessionHeader`),
+      stickyMessage: resolveOverheadVisibility(platformConfig.stickyMessage, `platforms[${platformConfig.id}].stickyMessage`)
+    });
     wirePlatformEvents(platformConfig.id, client, session, ui);
   }
   const enabledPlatforms = Array.from(platforms.entries()).filter(([id]) => platformEnabledState.get(id) ?? true);

package/dist/mcp/mcp-server.js

@@ -3035,6 +3035,9 @@ var require_data = __commonJS((exports, module) => {
 var require_utils = __commonJS((exports, module) => {
   var isUUID = RegExp.prototype.test.bind(/^[\da-f]{8}-[\da-f]{4}-[\da-f]{4}-[\da-f]{4}-[\da-f]{12}$/iu);
   var isIPv4 = RegExp.prototype.test.bind(/^(?:(?:25[0-5]|2[0-4]\d|1\d{2}|[1-9]\d|\d)\.){3}(?:25[0-5]|2[0-4]\d|1\d{2}|[1-9]\d|\d)$/u);
+  var isHexPair = RegExp.prototype.test.bind(/^[\da-f]{2}$/iu);
+  var isUnreserved = RegExp.prototype.test.bind(/^[\da-z\-._~]$/iu);
+  var isPathCharacter = RegExp.prototype.test.bind(/^[\da-z\-._~!$&'()*+,;=:@/]$/iu);
   function stringArrayToHexStripped(input) {
     let acc = "";
     let code = 0;
@@ -3228,27 +3231,77 @@ var require_utils = __commonJS((exports, module) => {
     }
     return output.join("");
   }
-  function normalizeComponentEncoding(component, esc2) {
-    const func = esc2 !== true ? escape : unescape;
-    if (component.scheme !== undefined) {
-      component.scheme = func(component.scheme);
-    }
-    if (component.userinfo !== undefined) {
-      component.userinfo = func(component.userinfo);
-    }
-    if (component.host !== undefined) {
-      component.host = func(component.host);
+  var HOST_DELIMS = { "@": "%40", "/": "%2F", "?": "%3F", "#": "%23", ":": "%3A" };
+  var HOST_DELIM_RE = /[@/?#:]/g;
+  var HOST_DELIM_NO_COLON_RE = /[@/?#]/g;
+  function reescapeHostDelimiters(host, isIP) {
+    const re = isIP ? HOST_DELIM_NO_COLON_RE : HOST_DELIM_RE;
+    re.lastIndex = 0;
+    return host.replace(re, (ch) => HOST_DELIMS[ch]);
+  }
+  function normalizePercentEncoding(input, decodeUnreserved = false) {
+    if (input.indexOf("%") === -1) {
+      return input;
     }
-    if (component.path !== undefined) {
-      component.path = func(component.path);
+    let output = "";
+    for (let i = 0;i < input.length; i++) {
+      if (input[i] === "%" && i + 2 < input.length) {
+        const hex = input.slice(i + 1, i + 3);
+        if (isHexPair(hex)) {
+          const normalizedHex = hex.toUpperCase();
+          const decoded = String.fromCharCode(parseInt(normalizedHex, 16));
+          if (decodeUnreserved && isUnreserved(decoded)) {
+            output += decoded;
+          } else {
+            output += "%" + normalizedHex;
+          }
+          i += 2;
+          continue;
+        }
+      }
+      output += input[i];
     }
-    if (component.query !== undefined) {
-      component.query = func(component.query);
+    return output;
+  }
+  function normalizePathEncoding(input) {
+    let output = "";
+    for (let i = 0;i < input.length; i++) {
+      if (input[i] === "%" && i + 2 < input.length) {
+        const hex = input.slice(i + 1, i + 3);
+        if (isHexPair(hex)) {
+          const normalizedHex = hex.toUpperCase();
+          const decoded = String.fromCharCode(parseInt(normalizedHex, 16));
+          if (decoded !== "." && isUnreserved(decoded)) {
+            output += decoded;
+          } else {
+            output += "%" + normalizedHex;
+          }
+          i += 2;
+          continue;
+        }
+      }
+      if (isPathCharacter(input[i])) {
+        output += input[i];
+      } else {
+        output += escape(input[i]);
+      }
     }
-    if (component.fragment !== undefined) {
-      component.fragment = func(component.fragment);
+    return output;
+  }
+  function escapePreservingEscapes(input) {
+    let output = "";
+    for (let i = 0;i < input.length; i++) {
+      if (input[i] === "%" && i + 2 < input.length) {
+        const hex = input.slice(i + 1, i + 3);
+        if (isHexPair(hex)) {
+          output += "%" + hex.toUpperCase();
+          i += 2;
+          continue;
+        }
+      }
+      output += escape(input[i]);
     }
-    return component;
+    return output;
   }
   function recomposeAuthority(component) {
     const uriTokens = [];
@@ -3263,7 +3316,7 @@ var require_utils = __commonJS((exports, module) => {
         if (ipV6res.isIPV6 === true) {
           host = `[${ipV6res.escapedHost}]`;
         } else {
-          host = component.host;
+          host = reescapeHostDelimiters(host, false);
         }
       }
       uriTokens.push(host);
@@ -3277,7 +3330,10 @@ var require_utils = __commonJS((exports, module) => {
   module.exports = {
     nonSimpleDomain,
     recomposeAuthority,
-    normalizeComponentEncoding,
+    reescapeHostDelimiters,
+    normalizePercentEncoding,
+    normalizePathEncoding,
+    escapePreservingEscapes,
     removeDotSegments,
     isIPv4,
     isUUID,
@@ -3462,11 +3518,11 @@ var require_schemes = __commonJS((exports, module) => {
 
 // node_modules/fast-uri/index.js
 var require_fast_uri = __commonJS((exports, module) => {
-  var { normalizeIPv6, removeDotSegments, recomposeAuthority, normalizeComponentEncoding, isIPv4, nonSimpleDomain } = require_utils();
+  var { normalizeIPv6, removeDotSegments, recomposeAuthority, normalizePercentEncoding, normalizePathEncoding, escapePreservingEscapes, reescapeHostDelimiters, isIPv4, nonSimpleDomain } = require_utils();
   var { SCHEMES, getSchemeHandler } = require_schemes();
   function normalize(uri, options) {
     if (typeof uri === "string") {
-      uri = serialize(parse6(uri, options), options);
+      uri = normalizeString(uri, options);
     } else if (typeof uri === "object") {
       uri = parse6(serialize(uri, options), options);
     }
@@ -3532,19 +3588,9 @@ var require_fast_uri = __commonJS((exports, module) => {
     return target;
   }
   function equal(uriA, uriB, options) {
-    if (typeof uriA === "string") {
-      uriA = unescape(uriA);
-      uriA = serialize(normalizeComponentEncoding(parse6(uriA, options), true), { ...options, skipEscape: true });
-    } else if (typeof uriA === "object") {
-      uriA = serialize(normalizeComponentEncoding(uriA, true), { ...options, skipEscape: true });
-    }
-    if (typeof uriB === "string") {
-      uriB = unescape(uriB);
-      uriB = serialize(normalizeComponentEncoding(parse6(uriB, options), true), { ...options, skipEscape: true });
-    } else if (typeof uriB === "object") {
-      uriB = serialize(normalizeComponentEncoding(uriB, true), { ...options, skipEscape: true });
-    }
-    return uriA.toLowerCase() === uriB.toLowerCase();
+    const normalizedA = normalizeComparableURI(uriA, options);
+    const normalizedB = normalizeComparableURI(uriB, options);
+    return normalizedA !== undefined && normalizedB !== undefined && normalizedA.toLowerCase() === normalizedB.toLowerCase();
   }
   function serialize(cmpts, opts) {
     const component = {
@@ -3570,12 +3616,12 @@ var require_fast_uri = __commonJS((exports, module) => {
       schemeHandler.serialize(component, options);
     if (component.path !== undefined) {
       if (!options.skipEscape) {
-        component.path = escape(component.path);
+        component.path = escapePreservingEscapes(component.path);
         if (component.scheme !== undefined) {
           component.path = component.path.split("%3A").join(":");
         }
       } else {
-        component.path = unescape(component.path);
+        component.path = normalizePercentEncoding(component.path);
       }
     }
     if (options.reference !== "suffix" && component.scheme) {
@@ -3610,7 +3656,16 @@ var require_fast_uri = __commonJS((exports, module) => {
     return uriTokens.join("");
   }
   var URI_PARSE = /^(?:([^#/:?]+):)?(?:\/\/((?:([^#/?@]*)@)?(\[[^#/?\]]+\]|[^#/:?]*)(?::(\d*))?))?([^#?]*)(?:\?([^#]*))?(?:#((?:.|[\n\r])*))?/u;
-  function parse6(uri, opts) {
+  function getParseError(parsed, matches) {
+    if (matches[2] !== undefined && parsed.path && parsed.path[0] !== "/") {
+      return 'URI path must start with "/" when authority is present.';
+    }
+    if (typeof parsed.port === "number" && (parsed.port < 0 || parsed.port > 65535)) {
+      return "URI port is malformed.";
+    }
+    return;
+  }
+  function parseWithStatus(uri, opts) {
     const options = Object.assign({}, opts);
     const parsed = {
       scheme: undefined,
@@ -3621,6 +3676,7 @@ var require_fast_uri = __commonJS((exports, module) => {
       query: undefined,
       fragment: undefined
     };
+    let malformedAuthorityOrPort = false;
     let isIP = false;
     if (options.reference === "suffix") {
       if (options.scheme) {
@@ -3641,6 +3697,11 @@ var require_fast_uri = __commonJS((exports, module) => {
       if (isNaN(parsed.port)) {
         parsed.port = matches[5];
       }
+      const parseError = getParseError(parsed, matches);
+      if (parseError !== undefined) {
+        parsed.error = parsed.error || parseError;
+        malformedAuthorityOrPort = true;
+      }
       if (parsed.host) {
         const ipv4result = isIPv4(parsed.host);
         if (ipv4result === false) {
@@ -3679,14 +3740,18 @@ var require_fast_uri = __commonJS((exports, module) => {
             parsed.scheme = unescape(parsed.scheme);
           }
           if (parsed.host !== undefined) {
-            parsed.host = unescape(parsed.host);
+            parsed.host = reescapeHostDelimiters(unescape(parsed.host), isIP);
           }
         }
         if (parsed.path) {
-          parsed.path = escape(unescape(parsed.path));
+          parsed.path = normalizePathEncoding(parsed.path);
         }
         if (parsed.fragment) {
-          parsed.fragment = encodeURI(decodeURIComponent(parsed.fragment));
+          try {
+            parsed.fragment = encodeURI(decodeURIComponent(parsed.fragment));
+          } catch {
+            parsed.error = parsed.error || "URI malformed";
+          }
         }
       }
       if (schemeHandler && schemeHandler.parse) {
@@ -3695,7 +3760,29 @@ var require_fast_uri = __commonJS((exports, module) => {
     } else {
       parsed.error = parsed.error || "URI can not be parsed.";
     }
-    return parsed;
+    return { parsed, malformedAuthorityOrPort };
+  }
+  function parse6(uri, opts) {
+    return parseWithStatus(uri, opts).parsed;
+  }
+  function normalizeString(uri, opts) {
+    return normalizeStringWithStatus(uri, opts).normalized;
+  }
+  function normalizeStringWithStatus(uri, opts) {
+    const { parsed, malformedAuthorityOrPort } = parseWithStatus(uri, opts);
+    return {
+      normalized: malformedAuthorityOrPort ? uri : serialize(parsed, opts),
+      malformedAuthorityOrPort
+    };
+  }
+  function normalizeComparableURI(uri, opts) {
+    if (typeof uri === "string") {
+      const { normalized, malformedAuthorityOrPort } = normalizeStringWithStatus(uri, opts);
+      return malformedAuthorityOrPort ? undefined : normalized;
+    }
+    if (typeof uri === "object") {
+      return serialize(uri, opts);
+    }
   }
   var fastUri = {
     SCHEMES,
@@ -50956,7 +51043,6 @@ function formatBytes(bytes) {
 
 // src/operations/streaming/handler.ts
 var log2 = createLogger("streaming");
-var MAX_UPLOAD_SIZE = 100 * 1024 * 1024;
 async function postSkippedFilesFeedback(platform, threadId, skipped) {
   if (skipped.length === 0)
     return;
@@ -54449,6 +54535,7 @@ var pausedPlatforms = new Map;
 var lastCleanupTime = new Map;
 var CLEANUP_THROTTLE_MS = 5 * 60 * 1000;
 var CLEANUP_MAX_AGE_MS = 60 * 60 * 1000;
+var hiddenCleanupDone = new Set;
 // node_modules/@redactpii/node/lib/index.mjs
 class Redactor {
   apiKey;
@@ -55722,7 +55809,7 @@ function createPassthroughHandler(slashCommand) {
       return { handled: false };
     }
     if (ctx.isAllowed) {
-      await ctx.sessionManager.sendFollowUp(ctx.threadId, `/${slashCommand}`);
+      await ctx.sessionManager.sendFollowUp(ctx.threadId, `/${slashCommand}`, undefined, undefined, undefined, { system: true });
     }
     return { handled: true };
   };

package/docs/CONFIGURATION.md

@@ -57,6 +57,8 @@ platforms:
 | `botName` | No | Mention name (default: `claude-code`) |
 | `allowedUsers` | No | List of usernames who can use the bot |
 | `skipPermissions` | No | Auto-approve actions (default: `false`) |
+| `sessionHeader` | No | Per-thread header visibility: `full` (default) / `minimal` (status bar only) / `hidden` (no header post) |
+| `stickyMessage` | No | Channel sticky visibility: `full` (default) / `minimal` (status bar only) / `hidden` (no sticky, no bumping) |
 
 ### Slack
 
@@ -71,6 +73,23 @@ platforms:
 | `botName` | No | Mention name (default: `claude`) |
 | `allowedUsers` | No | List of Slack usernames |
 | `skipPermissions` | No | Auto-approve actions (default: `false`) |
+| `sessionHeader` | No | Per-thread header visibility: `full` (default) / `minimal` (status bar only) / `hidden` (no header post) |
+| `stickyMessage` | No | Channel sticky visibility: `full` (default) / `minimal` (status bar only) / `hidden` (no sticky, no bumping) |
+
+### Quieting the bot's overhead messages
+
+Both the per-thread session header and the channel sticky message default to `full` for backward compatibility. To strip them down on a noisy channel, set the per-platform fields in `config.yaml`:
+
+```yaml
+platforms:
+  - id: mattermost-main
+    type: mattermost
+    # ... credentials ...
+    sessionHeader: hidden    # no header post — Claude's reply is the first message in the thread
+    stickyMessage: minimal   # one-line status bar at the channel bottom, no sessions list
+```
+
+Note: the per-platform `stickyMessage: <mode>` field is distinct from the top-level `Config.stickyMessage: { description, footer }` block, which still customizes the full sticky for platforms not in `hidden` mode.
 
 ## Claude Accounts (optional, multi-account mode)
 
@@ -139,6 +158,8 @@ Options:
   --chrome                 Enable Chrome integration
   --no-chrome              Disable Chrome integration
   --worktree-mode <mode>   Git worktree mode: off, prompt, require
+  --session-header <mode>  Per-thread header: full | minimal | hidden (overrides per-platform config)
+  --sticky-message <mode>  Channel sticky: full | minimal | hidden (overrides per-platform config)
   --setup                  Re-run setup wizard
   --debug                  Enable debug logging
   --version                Show version

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "claude-threads",
-  "version": "1.15.2",
+  "version": "1.16.1",
   "description": "Share Claude Code sessions live in a Mattermost channel with interactive features",
   "main": "dist/index.js",
   "type": "module",
@@ -71,7 +71,7 @@
     "commander": "^14.0.2",
     "diff": "^8.0.3",
     "express-rate-limit": "^8.3.0",
-    "hono": "^4.12.5",
+    "hono": "^4.12.18",
     "ink": "^6.6.0",
     "ink-scroll-view": "^0.3.5",
     "js-yaml": "^4.1.1",
@@ -94,7 +94,7 @@
     "@types/ws": "^8.18.0",
     "eslint": "^10.1.0",
     "husky": "^9.1.7",
-    "lint-staged": "^16.2.7",
+    "lint-staged": "^17.0.4",
     "prettier": "^3.4.2",
     "typescript": "^6.0.2",
     "typescript-eslint": "^8.57.2"
@@ -115,7 +115,8 @@
     "express-rate-limit": "$express-rate-limit",
     "flatted": ">=3.4.0",
     "picomatch": ">=2.3.2",
-    "path-to-regexp": ">=8.4.0"
+    "path-to-regexp": ">=8.4.0",
+    "fast-uri": ">=3.1.2"
   },
   "resolutions": {
     "hono": "$hono",
@@ -123,6 +124,7 @@
     "express-rate-limit": "$express-rate-limit",
     "flatted": ">=3.4.0",
     "picomatch": ">=2.3.2",
-    "path-to-regexp": ">=8.4.0"
+    "path-to-regexp": ">=8.4.0",
+    "fast-uri": ">=3.1.2"
   }
 }