@flomenco/claude-plugin-mcp 0.1.1 → 0.1.3

package/README.md

@@ -11,6 +11,7 @@ It exposes authentication + plugin tools:
 - `flo_auth_logout`
 
 - `flo_search`
+- `flo_query`
 - `flo_skill_routing`
 - `flo_qc_logo`
 - `flo_command` (raw passthrough for troubleshooting)
@@ -161,6 +162,7 @@ After Claude starts with MCP enabled:
 - Run `flo_auth_setup_help` if you need the Flo settings URL for locating `FLO_OAUTH_CLIENT_ID`
 - Run `flo_plugin_healthcheck` (expect `runtime.reachable: true`)
 - Run `flo_search` with `query="hail mary"`
+- Or run `flo_query` with `query="hail mary"` to get filename-first results and next command templates
 - `flo_skill_routing` with an `assetId` from search
 - `flo_qc_logo` with `assetId` and `referenceAssetId`
 
@@ -171,5 +173,6 @@ One-shot E2E:
 Expected output shape:
 
 - search: `status`, `menuItems[]`
+- query: `status`, `filenames[]`, `results[]`
 - skill-routing: `status`, `skills[]`, includes `/flo:qc-logo`
 - qc-logo: `status`, `result.overall|summary|assetId|assetUrl|findings`

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@flomenco/claude-plugin-mcp",
-  "version": "0.1.1",
+  "version": "0.1.3",
   "description": "Flo Claude Co-Work plugin bridge for Claude Desktop/Code",
   "private": false,
   "license": "UNLICENSED",

package/src/index.js

@@ -1,5 +1,4 @@
 #!/usr/bin/env node
-
 import { Server } from "@modelcontextprotocol/sdk/server/index.js";
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
 import {
@@ -18,6 +17,7 @@ import { spawn } from "node:child_process";
 const DEFAULT_TIMEOUT_MS = 60_000;
 const OAUTH_WAIT_TIMEOUT_MS = 180_000;
 const TOKEN_REFRESH_SKEW_SECONDS = 60;
+const ASSET_ID_REGEX = /^[A-Za-z0-9._-]+$/;
 const DEFAULT_TOKEN_CACHE_PATH = path.join(
   os.homedir(),
   ".flo",
@@ -79,6 +79,17 @@ function defaultSettingsUrlForEnv() {
   return "https://dev.floapp.co/settings/api";
 }
 
+function defaultWebAppUrlForEnv() {
+  const env = normalizedPluginEnv();
+  if (env === "prod") {
+    return "https://floapp.co";
+  }
+  if (env === "stg") {
+    return "https://stg.floapp.co";
+  }
+  return "https://dev.floapp.co";
+}
+
 function getInvocationUrl() {
   const raw =
     process.env.FLO_INTERFACE_AGENT_INVOCATION_URL ||
@@ -120,6 +131,8 @@ function getOAuthConfig(strict = false) {
     process.env.FLO_OAUTH_CLIENT_ID_HELP_URL ||
     defaultSettingsUrlForEnv()
   ).trim();
+  const rawAppLoginUrl = (process.env.FLO_OAUTH_APP_LOGIN_URL || "").trim();
+  const appLoginUrl = rawAppLoginUrl || `${defaultWebAppUrlForEnv()}/login`;
 
   const ready = Boolean(authorizeUrl && tokenUrl && clientId);
   if (strict && !ready) {
@@ -142,6 +155,7 @@ function getOAuthConfig(strict = false) {
     userPoolName,
     expectedClientName,
     settingsUrl,
+    appLoginUrl,
   };
 }
 
@@ -284,6 +298,127 @@ function openBrowser(url) {
   }
 }
 
+function escapeHtml(value) {
+  return String(value || "")
+    .replaceAll("&", "&")
+    .replaceAll("<", "&lt;")
+    .replaceAll(">", "&gt;")
+    .replaceAll('"', "&quot;")
+    .replaceAll("'", "&#39;");
+}
+
+function renderOAuthCallbackPage({ status, title, message, details }) {
+  const isSuccess = status === "success";
+  const badgeText = isSuccess ? "Flo Connected" : "Flo Connection Error";
+  const badgeColor = isSuccess ? "#22c55e" : "#ef4444";
+  const symbol = isSuccess ? "✓" : "!";
+  const detailsHtml = details
+    ? `<pre class="details">${escapeHtml(details)}</pre>`
+    : "";
+
+  return `<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1" />
+    <title>${escapeHtml(title)}</title>
+    <style>
+      :root {
+        color-scheme: dark;
+      }
+      body {
+        margin: 0;
+        min-height: 100vh;
+        font-family:
+          Inter,
+          -apple-system,
+          BlinkMacSystemFont,
+          "Segoe UI",
+          Roboto,
+          "Helvetica Neue",
+          Arial,
+          sans-serif;
+        background: radial-gradient(circle at top, #1a2138 0%, #0b1020 58%);
+        color: #e5e7eb;
+        display: grid;
+        place-items: center;
+        padding: 24px;
+      }
+      .card {
+        width: min(560px, 100%);
+        border: 1px solid rgba(148, 163, 184, 0.28);
+        background: rgba(15, 23, 42, 0.76);
+        backdrop-filter: blur(8px);
+        border-radius: 16px;
+        padding: 26px;
+        box-shadow: 0 16px 42px rgba(2, 6, 23, 0.35);
+      }
+      .badge {
+        display: inline-flex;
+        align-items: center;
+        gap: 8px;
+        border-radius: 999px;
+        border: 1px solid ${badgeColor};
+        color: ${badgeColor};
+        padding: 6px 10px;
+        font-size: 12px;
+        font-weight: 700;
+        letter-spacing: 0.02em;
+      }
+      .badge span {
+        display: inline-grid;
+        place-items: center;
+        width: 16px;
+        height: 16px;
+        border-radius: 999px;
+        background: ${badgeColor};
+        color: #ffffff;
+        font-size: 12px;
+        line-height: 1;
+      }
+      h1 {
+        margin: 14px 0 10px;
+        font-size: 24px;
+        line-height: 1.2;
+      }
+      p {
+        margin: 0;
+        color: #cbd5e1;
+        line-height: 1.5;
+      }
+      .hint {
+        margin-top: 16px;
+        border-top: 1px solid rgba(148, 163, 184, 0.2);
+        padding-top: 14px;
+        font-size: 14px;
+        color: #94a3b8;
+      }
+      .details {
+        margin: 14px 0 0;
+        padding: 12px;
+        border-radius: 10px;
+        border: 1px solid rgba(148, 163, 184, 0.26);
+        background: rgba(2, 6, 23, 0.55);
+        color: #dbeafe;
+        white-space: pre-wrap;
+        word-break: break-word;
+        font-size: 12px;
+        line-height: 1.45;
+      }
+    </style>
+  </head>
+  <body>
+    <main class="card">
+      <div class="badge"><span>${symbol}</span>${badgeText}</div>
+      <h1>${escapeHtml(title)}</h1>
+      <p>${escapeHtml(message)}</p>
+      ${detailsHtml}
+      <p class="hint">You can close this tab and return to Claude.</p>
+    </main>
+  </body>
+</html>`;
+}
+
 async function waitForOAuthCode(redirectUri, expectedState) {
   const parsed = new URL(redirectUri);
   if (parsed.protocol !== "http:") {
@@ -314,21 +449,43 @@ async function waitForOAuthCode(redirectUri, expectedState) {
         if (oauthError) {
           clearTimeout(timer);
           res.statusCode = 400;
-          res.end("OAuth failed. You can close this window.");
+          res.setHeader("content-type", "text/html; charset=utf-8");
+          res.end(
+            renderOAuthCallbackPage({
+              status: "error",
+              title: "Flo OAuth failed",
+              message: "The identity provider returned an error.",
+              details: `error=${oauthError}`,
+            })
+          );
           reject(new Error(`OAuth provider returned error=${oauthError}`));
           return;
         }
         if (!returnedCode) {
           clearTimeout(timer);
           res.statusCode = 400;
-          res.end("Missing code. You can close this window.");
+          res.setHeader("content-type", "text/html; charset=utf-8");
+          res.end(
+            renderOAuthCallbackPage({
+              status: "error",
+              title: "Flo OAuth failed",
+              message: "The callback did not include an authorization code.",
+            })
+          );
           reject(new Error("OAuth callback missing code"));
           return;
         }
         if (returnedState !== expectedState) {
           clearTimeout(timer);
           res.statusCode = 400;
-          res.end("Invalid state. You can close this window.");
+          res.setHeader("content-type", "text/html; charset=utf-8");
+          res.end(
+            renderOAuthCallbackPage({
+              status: "error",
+              title: "Flo OAuth failed",
+              message: "State mismatch detected. Please retry login.",
+            })
+          );
           reject(new Error("OAuth state mismatch"));
           return;
         }
@@ -337,7 +494,12 @@ async function waitForOAuthCode(redirectUri, expectedState) {
         res.statusCode = 200;
         res.setHeader("content-type", "text/html; charset=utf-8");
         res.end(
-          "<html><body><h3>Flo OAuth complete.</h3><p>You can close this tab and return to Claude.</p></body></html>"
+          renderOAuthCallbackPage({
+            status: "success",
+            title: "Flo OAuth complete",
+            message:
+              "Authentication succeeded and your plugin token is now linked.",
+          })
         );
         resolve(returnedCode);
       } catch (err) {
@@ -496,6 +658,17 @@ function requireString(value, fieldName) {
   return value.trim();
 }
 
+function requireAssetId(value, fieldName) {
+  const assetId = requireString(value, fieldName);
+  if (assetId.length > 128 || !ASSET_ID_REGEX.test(assetId)) {
+    throw new McpError(
+      ErrorCode.InvalidParams,
+      `\`${fieldName}\` must match ^[A-Za-z0-9._-]+$ and be <= 128 chars.`
+    );
+  }
+  return assetId;
+}
+
 function assertSearchPayload(payload) {
   if (!payload || payload.status !== "ok" || !Array.isArray(payload.menuItems)) {
     throw new McpError(
@@ -595,7 +768,7 @@ const tools = [
   {
     name: "flo_auth_login",
     description:
-      "Start OAuth login (browser PKCE flow), cache token locally, and return auth status.",
+      "Start OAuth login (browser PKCE flow), cache token locally, and return auth status. If prompted by hosted login UI, first sign in via appLoginUrl.",
     inputSchema: {
       type: "object",
       properties: {},
@@ -630,6 +803,28 @@ const tools = [
       additionalProperties: false,
     },
   },
+  {
+    name: "flo_analyze",
+    description:
+      "Analyze an asset directly (friendly alias for /flo:analyze-image <assetId>).",
+    inputSchema: {
+      type: "object",
+      properties: {
+        assetId: {
+          type: "string",
+          minLength: 1,
+          maxLength: 128,
+          pattern: "^[A-Za-z0-9._-]+$",
+        },
+        authToken: {
+          type: "string",
+          description: "Optional bearer token override for this call only.",
+        },
+      },
+      required: ["assetId"],
+      additionalProperties: false,
+    },
+  },
   {
     name: "flo_search",
     description:
@@ -647,14 +842,36 @@ const tools = [
       additionalProperties: false,
     },
   },
+  {
+    name: "flo_query",
+    description:
+      "Run /flo:query against interface-agent and return filename-first candidates plus follow-up commands.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        query: { type: "string", minLength: 1 },
+        authToken: {
+          type: "string",
+          description: "Optional bearer token override for this call only.",
+        },
+      },
+      required: ["query"],
+      additionalProperties: false,
+    },
+  },
   {
     name: "flo_skill_routing",
     description:
-      "Run /flo:skill-routing for an asset and return available plugin skills.",
+      "List available actions for an asset (what can I do with this file?).",
     inputSchema: {
       type: "object",
       properties: {
-        assetId: { type: "string", minLength: 1 },
+        assetId: {
+          type: "string",
+          minLength: 1,
+          maxLength: 128,
+          pattern: "^[A-Za-z0-9._-]+$",
+        },
         authToken: {
           type: "string",
           description: "Optional bearer token override for this call only.",
@@ -796,6 +1013,7 @@ server.setRequestHandler(CallToolRequestSchema, async (request) => {
       oauthUserPoolName: oauth.userPoolName,
       oauthUserPoolId: oauth.userPoolId || null,
       oauthSettingsUrl: oauth.settingsUrl,
+      appLoginUrl: oauth.appLoginUrl,
       envTokenConfigured: envToken,
       cachePath: getTokenCachePath(),
       cachedTokenPresent: Boolean(cachedToken?.access_token),
@@ -818,11 +1036,19 @@ server.setRequestHandler(CallToolRequestSchema, async (request) => {
       oauthUserPoolName: oauth.userPoolName,
       oauthUserPoolId: oauth.userPoolId || null,
       oauthSettingsUrl: oauth.settingsUrl,
+      appLoginUrl: oauth.appLoginUrl,
       message:
-        "Open oauthSettingsUrl, then copy the app client id for oauthExpectedClientName into FLO_OAUTH_CLIENT_ID.",
+        "If hosted login UI appears, sign in at appLoginUrl first, then run flo_auth_login again. Open oauthSettingsUrl to copy client id for oauthExpectedClientName into FLO_OAUTH_CLIENT_ID.",
     });
   }
 
+  if (name === "flo_analyze") {
+    const assetId = requireAssetId(args.assetId, "assetId");
+    const prompt = `/flo:analyze-image ${assetId}`;
+    const bodyText = await invokeInterfaceAgent(prompt, args.authToken);
+    return asTextResult(parseMaybeJson(bodyText) || bodyText);
+  }
+
   if (name === "flo_auth_logout") {
     await clearCachedToken();
     return asTextResult({
@@ -839,8 +1065,15 @@ server.setRequestHandler(CallToolRequestSchema, async (request) => {
     return asTextResult(parseMaybeJson(bodyText) || bodyText);
   }
 
+  if (name === "flo_query") {
+    const query = requireString(args.query, "query");
+    const prompt = `/flo:query ${query}`;
+    const bodyText = await invokeInterfaceAgent(prompt, args.authToken);
+    return asTextResult(parseMaybeJson(bodyText) || bodyText);
+  }
+
   if (name === "flo_skill_routing") {
-    const assetId = requireString(args.assetId, "assetId");
+    const assetId = requireAssetId(args.assetId, "assetId");
     const prompt = `/flo:skill-routing ${assetId}`;
     const bodyText = await invokeInterfaceAgent(prompt, args.authToken);
     return asTextResult(parseMaybeJson(bodyText) || bodyText);