mattermost-claude-code 0.4.0 → 0.5.0

package/dist/claude/session.d.ts

@@ -19,6 +19,14 @@ interface PendingApproval {
     postId: string;
     type: 'plan' | 'action';
 }
+/**
+ * Pending message from unauthorized user awaiting approval
+ */
+interface PendingMessageApproval {
+    postId: string;
+    originalMessage: string;
+    fromUser: string;
+}
 /**
  * Represents a single Claude Code session tied to a Mattermost thread.
  * Each session has its own Claude CLI process and state.
@@ -28,12 +36,16 @@ interface Session {
     startedBy: string;
     startedAt: Date;
     lastActivityAt: Date;
+    sessionNumber: number;
     claude: ClaudeCli;
     currentPostId: string | null;
     pendingContent: string;
     pendingApproval: PendingApproval | null;
     pendingQuestionSet: PendingQuestionSet | null;
+    pendingMessageApproval: PendingMessageApproval | null;
     planApproved: boolean;
+    sessionAllowedUsers: Set<string>;
+    sessionStartPostId: string | null;
     tasksPostId: string | null;
     activeSubagents: Map<string, string>;
     updateTimer: ReturnType<typeof setTimeout> | null;
@@ -58,6 +70,11 @@ export declare class SessionManager {
     private registerPost;
     /** Find session by post ID (for reaction routing) */
     private getSessionByPost;
+    /**
+     * Check if a user is allowed in a specific session.
+     * Checks global allowlist first, then session-specific allowlist.
+     */
+    isUserAllowedInSession(threadId: string, username: string): boolean;
     startSession(options: {
         prompt: string;
     }, username: string, replyToPostId?: string): Promise<void>;
@@ -71,6 +88,7 @@ export declare class SessionManager {
     private handleReaction;
     private handleQuestionReaction;
     private handleApprovalReaction;
+    private handleMessageApprovalReaction;
     private formatEvent;
     private formatToolUse;
     private appendContent;
@@ -89,6 +107,14 @@ export declare class SessionManager {
     killSession(threadId: string): void;
     /** Cancel a session with user feedback */
     cancelSession(threadId: string, username: string): Promise<void>;
+    /** Invite a user to participate in a specific session */
+    inviteUser(threadId: string, invitedUser: string, invitedBy: string): Promise<void>;
+    /** Kick a user from a specific session */
+    kickUser(threadId: string, kickedUser: string, kickedBy: string): Promise<void>;
+    /** Update the session header post with current participants */
+    private updateSessionHeader;
+    /** Request approval for a message from an unauthorized user */
+    requestMessageApproval(threadId: string, username: string, message: string): Promise<void>;
     /** Kill all active sessions (for graceful shutdown) */
     killAllSessions(): void;
     /** Cleanup idle sessions that have exceeded timeout */

package/dist/claude/session.js

@@ -65,6 +65,20 @@ export class SessionManager {
         const threadId = this.postIndex.get(postId);
         return threadId ? this.sessions.get(threadId) : undefined;
     }
+    /**
+     * Check if a user is allowed in a specific session.
+     * Checks global allowlist first, then session-specific allowlist.
+     */
+    isUserAllowedInSession(threadId, username) {
+        // Check global allowlist first
+        if (this.mattermost.isUserAllowed(username))
+            return true;
+        // Check session-specific allowlist
+        const session = this.sessions.get(threadId);
+        if (session?.sessionAllowedUsers.has(username))
+            return true;
+        return false;
+    }
     // ---------------------------------------------------------------------------
     // Session Lifecycle
     // ---------------------------------------------------------------------------
@@ -82,26 +96,8 @@ export class SessionManager {
             await this.mattermost.createPost(`⚠️ **Too busy** - ${this.sessions.size} sessions active. Please try again later.`, replyToPostId);
             return;
         }
-        // Post session start message
-        const shortDir = this.workingDir.replace(process.env.HOME || '', '~');
-        const sessionNum = this.sessions.size + 1;
-        const permMode = this.skipPermissions ? '⚡ Auto' : '🔐 Interactive';
-        const promptPreview = options.prompt.length > 60
-            ? options.prompt.substring(0, 60) + '…'
-            : options.prompt;
-        const msg = [
-            `### 🤖 mm-claude \`v${pkg.version}\``,
-            ``,
-            `| | |`,
-            `|:--|:--|`,
-            `| 📂 **Directory** | \`${shortDir}\` |`,
-            `| 👤 **Started by** | @${username} |`,
-            `| 🔢 **Session** | #${sessionNum} of ${MAX_SESSIONS} max |`,
-            `| ${permMode.split(' ')[0]} **Permissions** | ${permMode.split(' ')[1]} |`,
-            ``,
-            `> ${promptPreview}`,
-        ].join('\n');
-        const post = await this.mattermost.createPost(msg, replyToPostId);
+        // Post initial session message (will be updated by updateSessionHeader)
+        const post = await this.mattermost.createPost(`### 🤖 mm-claude \`v${pkg.version}\`\n\n*Starting session...*`, replyToPostId);
         const actualThreadId = replyToPostId || post.id;
         // Create Claude CLI with options
         const cliOptions = {
@@ -116,12 +112,16 @@ export class SessionManager {
             startedBy: username,
             startedAt: new Date(),
             lastActivityAt: new Date(),
+            sessionNumber: this.sessions.size + 1,
             claude,
             currentPostId: null,
             pendingContent: '',
             pendingApproval: null,
             pendingQuestionSet: null,
+            pendingMessageApproval: null,
             planApproved: false,
+            sessionAllowedUsers: new Set([username]), // Owner is always allowed
+            sessionStartPostId: post.id, // Track for updating participants
             tasksPostId: null,
             activeSubagents: new Map(),
             updateTimer: null,
@@ -132,6 +132,8 @@ export class SessionManager {
         this.registerPost(post.id, actualThreadId); // For cancel reactions on session start post
         const shortId = actualThreadId.substring(0, 8);
         console.log(`  ▶ Session #${this.sessions.size} started (${shortId}…) by @${username}`);
+        // Update the header with full session info
+        await this.updateSessionHeader(session);
         // Start typing indicator immediately so user sees activity
         this.startTyping(session);
         // Bind event handlers with closure over threadId
@@ -404,6 +406,11 @@ export class SessionManager {
             await this.handleQuestionReaction(session, postId, emojiName, username);
             return;
         }
+        // Handle message approval reactions
+        if (session.pendingMessageApproval && session.pendingMessageApproval.postId === postId) {
+            await this.handleMessageApprovalReaction(session, emojiName, username);
+            return;
+        }
     }
     async handleQuestionReaction(session, postId, emojiName, username) {
         if (!session.pendingQuestionSet)
@@ -479,6 +486,44 @@ export class SessionManager {
             this.startTyping(session);
         }
     }
+    async handleMessageApprovalReaction(session, emoji, approver) {
+        const pending = session.pendingMessageApproval;
+        if (!pending)
+            return;
+        // Only session owner or globally allowed users can approve
+        if (session.startedBy !== approver && !this.mattermost.isUserAllowed(approver)) {
+            return;
+        }
+        const isAllow = emoji === '+1' || emoji === 'thumbsup';
+        const isInvite = emoji === 'white_check_mark' || emoji === 'heavy_check_mark';
+        const isDeny = emoji === '-1' || emoji === 'thumbsdown';
+        if (!isAllow && !isInvite && !isDeny)
+            return;
+        if (isAllow) {
+            // Allow this single message
+            await this.mattermost.updatePost(pending.postId, `✅ Message from @${pending.fromUser} approved by @${approver}`);
+            session.claude.sendMessage(pending.originalMessage);
+            session.lastActivityAt = new Date();
+            this.startTyping(session);
+            console.log(`  ✅ Message from @${pending.fromUser} approved by @${approver}`);
+        }
+        else if (isInvite) {
+            // Invite user to session
+            session.sessionAllowedUsers.add(pending.fromUser);
+            await this.mattermost.updatePost(pending.postId, `✅ @${pending.fromUser} invited to session by @${approver}`);
+            await this.updateSessionHeader(session);
+            session.claude.sendMessage(pending.originalMessage);
+            session.lastActivityAt = new Date();
+            this.startTyping(session);
+            console.log(`  👋 @${pending.fromUser} invited to session by @${approver}`);
+        }
+        else if (isDeny) {
+            // Deny
+            await this.mattermost.updatePost(pending.postId, `❌ Message from @${pending.fromUser} denied by @${approver}`);
+            console.log(`  ❌ Message from @${pending.fromUser} denied by @${approver}`);
+        }
+        session.pendingMessageApproval = null;
+    }
     formatEvent(session, e) {
         switch (e.type) {
             case 'assistant': {
@@ -724,6 +769,112 @@ export class SessionManager {
         await this.mattermost.createPost(`🛑 **Session cancelled** by @${username}`, threadId);
         this.killSession(threadId);
     }
+    /** Invite a user to participate in a specific session */
+    async inviteUser(threadId, invitedUser, invitedBy) {
+        const session = this.sessions.get(threadId);
+        if (!session)
+            return;
+        // Only session owner or globally allowed users can invite
+        if (session.startedBy !== invitedBy && !this.mattermost.isUserAllowed(invitedBy)) {
+            await this.mattermost.createPost(`⚠️ Only @${session.startedBy} or allowed users can invite others`, threadId);
+            return;
+        }
+        session.sessionAllowedUsers.add(invitedUser);
+        await this.mattermost.createPost(`✅ @${invitedUser} can now participate in this session (invited by @${invitedBy})`, threadId);
+        console.log(`  👋 @${invitedUser} invited to session by @${invitedBy}`);
+        await this.updateSessionHeader(session);
+    }
+    /** Kick a user from a specific session */
+    async kickUser(threadId, kickedUser, kickedBy) {
+        const session = this.sessions.get(threadId);
+        if (!session)
+            return;
+        // Only session owner or globally allowed users can kick
+        if (session.startedBy !== kickedBy && !this.mattermost.isUserAllowed(kickedBy)) {
+            await this.mattermost.createPost(`⚠️ Only @${session.startedBy} or allowed users can kick others`, threadId);
+            return;
+        }
+        // Can't kick session owner
+        if (kickedUser === session.startedBy) {
+            await this.mattermost.createPost(`⚠️ Cannot kick session owner @${session.startedBy}`, threadId);
+            return;
+        }
+        // Can't kick globally allowed users (they'll still have access)
+        if (this.mattermost.isUserAllowed(kickedUser)) {
+            await this.mattermost.createPost(`⚠️ @${kickedUser} is globally allowed and cannot be kicked from individual sessions`, threadId);
+            return;
+        }
+        if (session.sessionAllowedUsers.delete(kickedUser)) {
+            await this.mattermost.createPost(`🚫 @${kickedUser} removed from this session by @${kickedBy}`, threadId);
+            console.log(`  🚫 @${kickedUser} kicked from session by @${kickedBy}`);
+            await this.updateSessionHeader(session);
+        }
+        else {
+            await this.mattermost.createPost(`⚠️ @${kickedUser} was not in this session`, threadId);
+        }
+    }
+    /** Update the session header post with current participants */
+    async updateSessionHeader(session) {
+        if (!session.sessionStartPostId)
+            return;
+        const shortDir = this.workingDir.replace(process.env.HOME || '', '~');
+        const permMode = this.skipPermissions ? '⚡ Auto' : '🔐 Interactive';
+        // Build participants list (excluding owner who is shown in "Started by")
+        const otherParticipants = [...session.sessionAllowedUsers]
+            .filter(u => u !== session.startedBy)
+            .map(u => `@${u}`)
+            .join(', ');
+        const rows = [
+            `| 📂 **Directory** | \`${shortDir}\` |`,
+            `| 👤 **Started by** | @${session.startedBy} |`,
+        ];
+        if (otherParticipants) {
+            rows.push(`| 👥 **Participants** | ${otherParticipants} |`);
+        }
+        rows.push(`| 🔢 **Session** | #${session.sessionNumber} of ${MAX_SESSIONS} max |`);
+        rows.push(`| ${permMode.split(' ')[0]} **Permissions** | ${permMode.split(' ')[1]} |`);
+        const msg = [
+            `### 🤖 mm-claude \`v${pkg.version}\``,
+            ``,
+            `| | |`,
+            `|:--|:--|`,
+            ...rows,
+        ].join('\n');
+        try {
+            await this.mattermost.updatePost(session.sessionStartPostId, msg);
+        }
+        catch (err) {
+            console.error('[Session] Failed to update session header:', err);
+        }
+    }
+    /** Request approval for a message from an unauthorized user */
+    async requestMessageApproval(threadId, username, message) {
+        const session = this.sessions.get(threadId);
+        if (!session)
+            return;
+        // If there's already a pending message approval, ignore
+        if (session.pendingMessageApproval) {
+            return;
+        }
+        const preview = message.length > 100 ? message.substring(0, 100) + '…' : message;
+        const post = await this.mattermost.createPost(`🔒 **@${username}** wants to send a message:\n> ${preview}\n\n` +
+            `React 👍 to allow this message, ✅ to invite them to the session, 👎 to deny`, threadId);
+        session.pendingMessageApproval = {
+            postId: post.id,
+            originalMessage: message,
+            fromUser: username,
+        };
+        this.registerPost(post.id, threadId);
+        // Add reaction options
+        try {
+            await this.mattermost.addReaction(post.id, '+1');
+            await this.mattermost.addReaction(post.id, 'white_check_mark');
+            await this.mattermost.addReaction(post.id, '-1');
+        }
+        catch (err) {
+            console.error('[Session] Failed to add message approval reactions:', err);
+        }
+    }
     /** Kill all active sessions (for graceful shutdown) */
     killAllSessions() {
         const count = this.sessions.size;

package/dist/index.js

@@ -72,16 +72,40 @@ async function main() {
         const threadRoot = post.root_id || post.id;
         // Follow-up in active thread
         if (session.isInSessionThread(threadRoot)) {
-            if (!mattermost.isUserAllowed(username))
-                return;
+            // If message starts with @mention to someone else, ignore it (side conversation)
+            const mentionMatch = message.trim().match(/^@(\w+)/);
+            if (mentionMatch && mentionMatch[1].toLowerCase() !== mattermost.getBotName().toLowerCase()) {
+                return; // Side conversation, don't interrupt
+            }
             const content = mattermost.isBotMentioned(message)
                 ? mattermost.extractPrompt(message)
                 : message.trim();
-            // Check for stop/cancel commands
             const lowerContent = content.toLowerCase();
+            // Check for stop/cancel commands (only from allowed users)
             if (lowerContent === '/stop' || lowerContent === 'stop' ||
                 lowerContent === '/cancel' || lowerContent === 'cancel') {
-                await session.cancelSession(threadRoot, username);
+                if (session.isUserAllowedInSession(threadRoot, username)) {
+                    await session.cancelSession(threadRoot, username);
+                }
+                return;
+            }
+            // Check for /invite command
+            const inviteMatch = content.match(/^\/invite\s+@?(\w+)/i);
+            if (inviteMatch) {
+                await session.inviteUser(threadRoot, inviteMatch[1], username);
+                return;
+            }
+            // Check for /kick command
+            const kickMatch = content.match(/^\/kick\s+@?(\w+)/i);
+            if (kickMatch) {
+                await session.kickUser(threadRoot, kickMatch[1], username);
+                return;
+            }
+            // Check if user is allowed in this session
+            if (!session.isUserAllowedInSession(threadRoot, username)) {
+                // Request approval for their message
+                if (content)
+                    await session.requestMessageApproval(threadRoot, username, content);
                 return;
             }
             if (content)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mattermost-claude-code",
-  "version": "0.4.0",
+  "version": "0.5.0",
   "description": "Share Claude Code sessions live in a Mattermost channel with interactive features",
   "main": "dist/index.js",
   "type": "module",