@floomhq/floom-mcp-sync 1.0.11 → 1.0.13

package/README.md

@@ -59,7 +59,7 @@ Version 1 sync does not replace existing local files. Remote updates, existing u
 
 The poll uses HTTP `If-None-Match` against `/api/v1/me/skills`, so unchanged responses are `304` with no body. If a Floom-tracked local file is missing after a `304`, MCP refetches once without the ETag so Version 1 can recreate missing files without overwriting existing files.
 
-Configure the preview poll interval with `FLOOM_SYNC_INTERVAL_MS` (default `60000`, minimum `10000`).
+Configure the poll interval with `FLOOM_SYNC_INTERVAL_MS` (default `60000`, minimum `10000`).
 
 ## Tools
 

package/dist/auto-sync.js

@@ -1,7 +1,7 @@
 import { constants } from "node:fs";
 import { lstat, mkdir, open } from "node:fs/promises";
 import { basename, dirname, isAbsolute, join, relative, resolve, sep } from "node:path";
-import { apiUrlFromConfig, readConfig } from "./lib/config.js";
+import { apiUrlFromConfig, readConfig, refreshConfig } from "./lib/config.js";
 import { getJsonWithEtag, FloomApiError } from "./lib/api.js";
 import { sha256 } from "./lib/hash.js";
 import { assertValidSlug } from "./lib/slug.js";
@@ -23,6 +23,17 @@ const PACKAGE_FILE_LIMIT = 100;
 const PACKAGE_TOTAL_BYTES_LIMIT = 1_000_000;
 const PACKAGE_FILE_BYTES_LIMIT = 500_000;
 const BASE64_RE = /^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$/;
+function hasStructuredPath(skill) {
+    return Boolean(skill.library_slug || skill.folder);
+}
+function dedupeSyncSkills(skills) {
+    const structuredSlugs = new Set();
+    for (const skill of skills) {
+        if (hasStructuredPath(skill))
+            structuredSlugs.add(skill.slug);
+    }
+    return skills.filter((skill) => !structuredSlugs.has(skill.slug) || hasStructuredPath(skill));
+}
 async function localState(path) {
     try {
         const handle = await open(path, constants.O_RDONLY | constants.O_NOFOLLOW);
@@ -243,21 +254,29 @@ export async function autoSync(log = (message) => process.stderr.write(`${messag
     return await withSyncLock(async () => {
         const manifest = await readSyncManifest();
         const root = skillsDir();
-        const apiUrl = apiUrlFromConfig(cfg);
+        let activeCfg = cfg;
+        const apiUrl = apiUrlFromConfig(activeCfg);
         let response;
         try {
-            response = await getJsonWithEtag(`${apiUrl}/api/v1/me/skills`, cfg.accessToken, cachedEtag, signal);
+            response = await getJsonWithEtag(`${apiUrl}/api/v1/me/skills`, activeCfg.accessToken, cachedEtag, signal);
         }
         catch (err) {
             if (err instanceof FloomApiError && err.status === 401) {
-                maybeAuthWarning(log, "[floom] sign-in expired; skipping sync (run `npx -y @floomhq/floom login` again)");
-                return { synced: 0, unchanged: 0, updated: 0, conflicts: 0 };
+                const refreshed = await refreshConfig(activeCfg);
+                if (!refreshed) {
+                    maybeAuthWarning(log, "[floom] sign-in expired; skipping sync (run `npx -y @floomhq/floom login` again)");
+                    return { synced: 0, unchanged: 0, updated: 0, conflicts: 0 };
+                }
+                activeCfg = refreshed;
+                response = await getJsonWithEtag(`${apiUrl}/api/v1/me/skills`, activeCfg.accessToken, cachedEtag, signal);
+            }
+            else {
+                throw err;
             }
-            throw err;
         }
         if (response.status === 304) {
             if (await manifestHasMissingTrackedFile(manifest, root)) {
-                response = await getJsonWithEtag(`${apiUrl}/api/v1/me/skills`, cfg.accessToken, null, signal);
+                response = await getJsonWithEtag(`${apiUrl}/api/v1/me/skills`, activeCfg.accessToken, null, signal);
             }
             else {
                 maybeHeartbeat(log);
@@ -280,9 +299,12 @@ export async function autoSync(log = (message) => process.stderr.write(`${messag
         }
         for (const skill of payload.skills)
             validateSyncSkillShape(skill);
-        // Version 1 preview syncs owned published skills only.
+        // Version 1 receives published, saved, and subscribed library skills through
+        // the single /me/skills response. If a slug appears both at top level and in
+        // a library/folder placement, keep only the structured placement so agents do
+        // not see duplicate native packages.
         const buckets = [
-            { skills: payload.skills, defaultLib: null },
+            { skills: dedupeSyncSkills(payload.skills), defaultLib: null },
         ];
         let unchanged = 0;
         let updated = 0;
@@ -414,7 +436,7 @@ export async function autoSync(log = (message) => process.stderr.write(`${messag
             if (updated > 0) {
                 // Activation telemetry counts syncs that write new content. Best-effort;
                 // never blocks or throws.
-                void emitSyncCompleted(apiUrl, cfg.accessToken, { total, updated, unchanged }, signal).catch(() => { });
+                void emitSyncCompleted(apiUrl, activeCfg.accessToken, { total, updated, unchanged }, signal).catch(() => { });
             }
         }
         else if (conflicts > 0) {

package/dist/lib/api.js

@@ -6,6 +6,53 @@ export class FloomApiError extends Error {
         this.name = "FloomApiError";
     }
 }
+export const DEFAULT_TIMEOUT_MS = 15_000;
+function withTimeout(signal) {
+    const controller = new AbortController();
+    const timeoutMs = requestTimeoutMs();
+    const timer = setTimeout(() => controller.abort(), timeoutMs);
+    const abort = () => controller.abort();
+    signal?.addEventListener("abort", abort, { once: true });
+    if (signal?.aborted)
+        controller.abort();
+    const aborted = new Promise((_, reject) => {
+        controller.signal.addEventListener("abort", () => {
+            reject(new FloomApiError(408, "Request timed out while contacting Floom."));
+        }, { once: true });
+    });
+    return {
+        signal: controller.signal,
+        aborted,
+        cleanup: () => {
+            clearTimeout(timer);
+            signal?.removeEventListener("abort", abort);
+        },
+    };
+}
+function requestTimeoutMs() {
+    const fromEnv = Number(process.env.FLOOM_REQUEST_TIMEOUT_MS);
+    if (Number.isFinite(fromEnv) && fromEnv > 0)
+        return fromEnv;
+    return DEFAULT_TIMEOUT_MS;
+}
+async function fetchWithTimeout(url, init, signal) {
+    const timeout = withTimeout(signal);
+    try {
+        return await Promise.race([
+            fetch(url, { ...init, signal: timeout.signal }),
+            timeout.aborted,
+        ]);
+    }
+    catch (err) {
+        if (err.name === "AbortError") {
+            throw new FloomApiError(408, "Request timed out while contacting Floom.");
+        }
+        throw err;
+    }
+    finally {
+        timeout.cleanup();
+    }
+}
 async function readError(res) {
     const text = await res.text();
     if (!text)
@@ -24,10 +71,7 @@ export async function getJson(url, token, signal) {
     const headers = {};
     if (token)
         headers.authorization = `Bearer ${token}`;
-    const init = { headers };
-    if (signal)
-        init.signal = signal;
-    const res = await fetch(url, init);
+    const res = await fetchWithTimeout(url, { headers }, signal);
     if (!res.ok)
         throw new FloomApiError(res.status, await readError(res));
     return (await res.json());
@@ -40,10 +84,7 @@ export async function getJsonWithEtag(url, token, etag, signal) {
     const headers = { authorization: `Bearer ${token}` };
     if (etag)
         headers["if-none-match"] = etag;
-    const init = { headers };
-    if (signal)
-        init.signal = signal;
-    const res = await fetch(url, init);
+    const res = await fetchWithTimeout(url, { headers }, signal);
     const responseEtag = res.headers.get("etag");
     if (res.status === 304) {
         return { status: 304, body: null, etag: responseEtag ?? etag };
@@ -54,10 +95,7 @@ export async function getJsonWithEtag(url, token, etag, signal) {
     return { status: res.status, body, etag: responseEtag };
 }
 export async function getText(url, signal) {
-    const init = {};
-    if (signal)
-        init.signal = signal;
-    const res = await fetch(url, init);
+    const res = await fetchWithTimeout(url, {}, signal);
     if (!res.ok)
         throw new FloomApiError(res.status, await readError(res));
     return res.text();
@@ -71,9 +109,7 @@ export async function postJson(url, token, body, signal) {
         },
         body: JSON.stringify(body),
     };
-    if (signal)
-        init.signal = signal;
-    const res = await fetch(url, init);
+    const res = await fetchWithTimeout(url, init, signal);
     if (!res.ok)
         throw new FloomApiError(res.status, await readError(res));
     return (await res.json());
@@ -87,9 +123,7 @@ export async function putJson(url, token, body, signal) {
         },
         body: JSON.stringify(body),
     };
-    if (signal)
-        init.signal = signal;
-    const res = await fetch(url, init);
+    const res = await fetchWithTimeout(url, init, signal);
     if (!res.ok)
         throw new FloomApiError(res.status, await readError(res));
     return (await res.json());
@@ -99,9 +133,7 @@ export async function deleteRequest(url, token, signal) {
         method: "DELETE",
         headers: { authorization: `Bearer ${token}` },
     };
-    if (signal)
-        init.signal = signal;
-    const res = await fetch(url, init);
+    const res = await fetchWithTimeout(url, init, signal);
     if (!res.ok)
         throw new FloomApiError(res.status, await readError(res));
     return (await res.json());

package/dist/lib/config.js

@@ -1,8 +1,10 @@
-import { readFile } from "node:fs/promises";
+import { chmod, mkdir, readFile, writeFile } from "node:fs/promises";
+import { dirname } from "node:path";
 import { configPath } from "./paths.js";
 export const DEFAULT_API_URL = "https://floom.dev";
+const REFRESH_SKEW_SECONDS = 5 * 60;
 export function apiUrlFromConfig(cfg) {
-    return (cfg.apiUrl ?? process.env.FLOOM_API_URL ?? DEFAULT_API_URL).replace(/\/$/, "");
+    return (process.env.FLOOM_API_URL ?? cfg.apiUrl ?? DEFAULT_API_URL).replace(/\/$/, "");
 }
 export async function readConfig() {
     try {
@@ -10,13 +12,16 @@ export async function readConfig() {
         const parsed = JSON.parse(raw);
         if (typeof parsed.accessToken !== "string" || parsed.accessToken.length === 0)
             return null;
-        return {
+        const cfg = {
             accessToken: parsed.accessToken,
             ...(typeof parsed.apiUrl === "string" ? { apiUrl: parsed.apiUrl } : {}),
             ...(typeof parsed.refreshToken === "string" ? { refreshToken: parsed.refreshToken } : {}),
             ...(typeof parsed.expiresAt === "number" ? { expiresAt: parsed.expiresAt } : {}),
             ...(typeof parsed.email === "string" || parsed.email === null ? { email: parsed.email } : {}),
         };
+        if (needsRefresh(cfg))
+            return refreshConfig(cfg);
+        return cfg;
     }
     catch (err) {
         if (err.code === "ENOENT")
@@ -24,3 +29,53 @@ export async function readConfig() {
         throw err;
     }
 }
+export function needsRefresh(cfg) {
+    if (!cfg.refreshToken)
+        return false;
+    return !Number.isFinite(cfg.expiresAt) || Number(cfg.expiresAt) <= Math.floor(Date.now() / 1000) + REFRESH_SKEW_SECONDS;
+}
+export async function refreshConfig(cfg) {
+    if (!cfg.refreshToken)
+        return cfg;
+    const apiUrl = apiUrlFromConfig(cfg);
+    let res;
+    try {
+        res = await fetch(`${apiUrl}/api/v1/auth/refresh`, {
+            method: "POST",
+            headers: { "content-type": "application/json" },
+            body: JSON.stringify({ refresh_token: cfg.refreshToken }),
+        });
+    }
+    catch {
+        return null;
+    }
+    if (!res.ok)
+        return null;
+    let data;
+    try {
+        data = await res.json();
+    }
+    catch {
+        return null;
+    }
+    if (typeof data.access_token !== "string" || typeof data.refresh_token !== "string")
+        return null;
+    const expiresAt = typeof data.expires_at === "number" && Number.isFinite(data.expires_at)
+        ? data.expires_at
+        : Math.floor(Date.now() / 1000) + (typeof data.expires_in === "number" && Number.isFinite(data.expires_in) ? data.expires_in : 3600);
+    const refreshed = {
+        apiUrl,
+        accessToken: data.access_token,
+        refreshToken: data.refresh_token,
+        expiresAt,
+        email: typeof data.email === "string" || data.email === null ? data.email : cfg.email ?? null,
+    };
+    await writeConfig(refreshed);
+    return refreshed;
+}
+async function writeConfig(cfg) {
+    const target = configPath();
+    await mkdir(dirname(target), { recursive: true, mode: 0o700 });
+    await writeFile(target, JSON.stringify(cfg, null, 2), { mode: 0o600 });
+    await chmod(target, 0o600);
+}

package/dist/server.js

@@ -5,7 +5,7 @@ import { autoSync } from "./auto-sync.js";
 import { getSkill } from "./tools/get.js";
 import { searchSkills } from "./tools/search.js";
 import { syncStatus } from "./tools/status.js";
-const SERVER_VERSION = "1.0.11";
+const SERVER_VERSION = "1.0.13";
 const DEFAULT_INTERVAL_MS = 60_000;
 const MIN_INTERVAL_MS = 10_000;
 const SEARCH_TYPES = new Set(["knowledge", "instruction", "workflow", "skill"]);
@@ -30,7 +30,7 @@ function abortAutoSync() {
 function usage() {
     return `
 floom-mcp-sync v${SERVER_VERSION}
-Floom MCP server for Version 1 preview sync.
+Floom MCP server for Version 1 sync.
 
 Usage
   floom-mcp-sync

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@floomhq/floom-mcp-sync",
-  "version": "1.0.11",
-  "description": "Lightweight Floom MCP server for installing, publishing, and startup-syncing skills.",
+  "version": "1.0.13",
+  "description": "Lightweight Floom MCP server for search, on-demand skill fetch, status, and sync.",
   "license": "MIT",
   "type": "module",
   "bin": {
@@ -9,7 +9,12 @@
   },
   "files": [
     "bin",
-    "dist",
+    "dist/auto-sync.js",
+    "dist/lib",
+    "dist/server.js",
+    "dist/tools/get.js",
+    "dist/tools/search.js",
+    "dist/tools/status.js",
     "README.md",
     "LICENSE"
   ],

package/dist/tools/install.js

@@ -1,117 +0,0 @@
-import { constants } from "node:fs";
-import { lstat, mkdir, open } from "node:fs/promises";
-import { createHash } from "node:crypto";
-import { basename, dirname, isAbsolute, join, relative, resolve, sep } from "node:path";
-import { apiUrlFromConfig, readConfig, DEFAULT_API_URL } from "../lib/config.js";
-import { getText } from "../lib/api.js";
-import { assertValidSlug } from "../lib/slug.js";
-import { skillPath, skillsDir } from "../lib/paths.js";
-const FD_PATH_ROOT = "/proc/self/fd";
-export async function installSkill(slug) {
-    assertValidSlug(slug);
-    const cfg = await readConfig();
-    const apiUrl = cfg ? apiUrlFromConfig(cfg) : (process.env.FLOOM_API_URL ?? DEFAULT_API_URL).replace(/\/$/, "");
-    const body = await getText(`${apiUrl}/s/${slug}.md`);
-    if (typeof body !== "string")
-        throw new Error("Invalid skill response");
-    const target = skillPath(slug);
-    const remoteHash = sha256(body);
-    const existing = await localHash(target);
-    if (existing !== null && existing !== remoteHash) {
-        throw new Error("Local skill already exists with different content");
-    }
-    if (existing === null)
-        await writeInstallFile(target, body);
-    return { slug, path: target, bytes: Buffer.byteLength(body) };
-}
-function sha256(input) {
-    return createHash("sha256").update(input).digest("hex");
-}
-async function localHash(path) {
-    try {
-        const handle = await open(path, constants.O_RDONLY | constants.O_NOFOLLOW);
-        try {
-            const stat = await handle.stat();
-            if (!stat.isFile())
-                throw new Error("path is blocked by an existing local file or directory");
-            return sha256(await handle.readFile("utf8"));
-        }
-        finally {
-            await handle.close();
-        }
-    }
-    catch (err) {
-        if (err.code === "ENOENT")
-            return null;
-        throw err;
-    }
-}
-async function writeInstallFile(target, body) {
-    const parent = await openSafeParentDirectory(skillsDir(), target);
-    let handle = null;
-    try {
-        handle = await open(childCreatePath(parent, dirname(target), basename(target)), constants.O_WRONLY | constants.O_CREAT | constants.O_EXCL | constants.O_NOFOLLOW, 0o600);
-        await writeAll(handle, body);
-    }
-    finally {
-        await handle?.close();
-        await parent.close();
-    }
-}
-async function openSafeParentDirectory(root, target) {
-    await ensureSafeParentDirectory(root, target);
-    return open(dirname(target), constants.O_RDONLY | constants.O_DIRECTORY | constants.O_NOFOLLOW);
-}
-function childCreatePath(parent, fallbackParent, name) {
-    if (process.platform === "linux")
-        return `${FD_PATH_ROOT}/${parent.fd}/${name}`;
-    return join(resolve(fallbackParent), name);
-}
-async function writeAll(handle, body) {
-    const buffer = Buffer.from(body, "utf8");
-    let offset = 0;
-    while (offset < buffer.length) {
-        const result = await handle.write(buffer, offset, buffer.length - offset, offset);
-        if (result.bytesWritten === 0)
-            throw new Error("failed to write local skill file");
-        offset += result.bytesWritten;
-    }
-}
-async function ensureSafeParentDirectory(root, target) {
-    const resolvedRoot = resolve(root);
-    const resolvedParent = resolve(dirname(target));
-    const relativeParent = relative(resolvedRoot, resolvedParent);
-    if (relativeParent === ".." || relativeParent.startsWith(`..${sep}`) || isAbsolute(relativeParent)) {
-        throw new Error("Invalid skill target path");
-    }
-    await mkdir(resolvedRoot, { recursive: true, mode: 0o700 });
-    await assertSafeDirectory(resolvedRoot);
-    if (!relativeParent || relativeParent === ".")
-        return;
-    let current = resolvedRoot;
-    for (const segment of relativeParent.split(sep).filter(Boolean)) {
-        current = join(current, segment);
-        try {
-            await assertSafeDirectory(current);
-        }
-        catch (err) {
-            if (err.code !== "ENOENT")
-                throw err;
-            await mkdir(current, { mode: 0o700 });
-            await assertSafeDirectory(current);
-        }
-    }
-}
-async function assertSafeDirectory(path) {
-    const stat = await lstat(path);
-    if (stat.isSymbolicLink()) {
-        const err = new Error("path contains a symbolic link");
-        err.code = "ELOOP";
-        throw err;
-    }
-    if (!stat.isDirectory()) {
-        const err = new Error("path is blocked by an existing local file or directory");
-        err.code = "ENOTDIR";
-        throw err;
-    }
-}

package/dist/tools/libraries.js

@@ -1,28 +0,0 @@
-import { apiUrlFromConfig, readConfig, DEFAULT_API_URL } from "../lib/config.js";
-import { deleteRequest, getJson, postJson, putJson } from "../lib/api.js";
-export async function listLibraries() {
-    const cfg = await readConfig();
-    const apiUrl = cfg ? apiUrlFromConfig(cfg) : (process.env.FLOOM_API_URL ?? DEFAULT_API_URL).replace(/\/$/, "");
-    return await getJson(`${apiUrl}/api/v1/libraries`, cfg?.accessToken);
-}
-export async function subscribeLibrary(slug) {
-    const cfg = await readConfig();
-    if (!cfg)
-        throw new Error("Not signed in. Run `npx -y @floomhq/floom login` first.");
-    const apiUrl = apiUrlFromConfig(cfg);
-    return await postJson(`${apiUrl}/api/v1/me/subscriptions`, cfg.accessToken, { library_slug: slug });
-}
-export async function unsubscribeLibrary(slug) {
-    const cfg = await readConfig();
-    if (!cfg)
-        throw new Error("Not signed in. Run `npx -y @floomhq/floom login` first.");
-    const apiUrl = apiUrlFromConfig(cfg);
-    return await deleteRequest(`${apiUrl}/api/v1/me/subscriptions/${encodeURIComponent(slug)}`, cfg.accessToken);
-}
-export async function moveSkill(slug, folder, tags) {
-    const cfg = await readConfig();
-    if (!cfg)
-        throw new Error("Not signed in. Run `npx -y @floomhq/floom login` first.");
-    const apiUrl = apiUrlFromConfig(cfg);
-    return await putJson(`${apiUrl}/api/v1/me/skills/${encodeURIComponent(slug)}/override`, cfg.accessToken, { folder, tags });
-}

package/dist/tools/publish.js

@@ -1,24 +0,0 @@
-import { apiUrlFromConfig, readConfig } from "../lib/config.js";
-import { postJson } from "../lib/api.js";
-export async function publishSkill(name, content, description, visibility = "unlisted", assetType = "skill", installsAs = "claude_skill", version) {
-    const cfg = await readConfig();
-    if (!cfg)
-        throw new Error("Not signed in. Run `npx -y @floomhq/floom login` first.");
-    const apiUrl = apiUrlFromConfig(cfg);
-    const data = await postJson(`${apiUrl}/api/skills`, cfg.accessToken, {
-        title: name,
-        description: description ?? null,
-        body_md: content,
-        visibility,
-        asset_type: assetType,
-        source: "markdown",
-        installs_as: installsAs,
-        version: version ?? null,
-        published_via: "mcp",
-    });
-    return {
-        slug: data.slug,
-        url: data.url ?? `${apiUrl}/s/${data.slug}.md`,
-        ...(data.version ? { version: data.version } : {}),
-    };
-}