@floomhq/floom-mcp-sync 1.0.26 → 1.0.27

package/README.md

@@ -49,7 +49,7 @@ args = ["-y", "@floomhq/floom-mcp-sync"]
 FLOOM_SKILLS_DIR = "~/.codex/skills"
 ```
 
-Directory resolution order is `FLOOM_SKILLS_DIR`, `CLAUDE_SKILLS_DIR`, `CODEX_SKILLS_DIR`, then `~/.claude/skills`.
+Directory resolution order is `FLOOM_SKILLS_DIR`, `CLAUDE_SKILLS_DIR`, `CODEX_SKILLS_DIR`, `CURSOR_SKILLS_DIR`, `OPENCODE_SKILLS_DIR`, `KIMI_SKILLS_DIR`, then `~/.claude/skills`.
 
 ## Sync Behavior
 
@@ -59,7 +59,7 @@ Version 1 sync does not replace existing local files. Remote updates, existing u
 
 The poll uses HTTP `If-None-Match` against `/api/v1/me/skills`, so unchanged responses are `304` with no body. If a Floom-tracked local file is missing after a `304`, MCP refetches once without the ETag so Version 1 can recreate missing files without overwriting existing files.
 
-Configure the poll interval with `FLOOM_SYNC_INTERVAL_MS` (default `60000`, minimum `10000`).
+Configure the preview poll interval with `FLOOM_SYNC_INTERVAL_MS` (default `60000`, minimum `10000`).
 
 ## Tools
 

package/dist/auto-sync.js

@@ -1,7 +1,7 @@
 import { constants } from "node:fs";
 import { lstat, mkdir, open } from "node:fs/promises";
 import { basename, dirname, isAbsolute, join, relative, resolve, sep } from "node:path";
-import { apiUrlFromConfig, readConfig, refreshConfig } from "./lib/config.js";
+import { apiUrlFromConfig, readConfig } from "./lib/config.js";
 import { getJsonWithEtag, FloomApiError } from "./lib/api.js";
 import { sha256 } from "./lib/hash.js";
 import { assertValidSlug } from "./lib/slug.js";
@@ -18,52 +18,110 @@ const AUTH_WARNING_MS = 10 * 60 * 1000;
 const MANIFEST_SEGMENT_RE = /^[A-Za-z0-9._-]{1,128}$/;
 const PACKAGE_FILE_SEGMENT_RE = /^[A-Za-z0-9._-]{1,128}$/;
 const SUPPORT_DIRS = new Set([
+    ".github",
     "agents",
     "assets",
+    "bin",
     "canvas-fonts",
     "checks",
+    "claude",
+    "codex",
+    "contrib",
     "core",
+    "cursor",
+    "design",
+    "docs",
     "evidence",
     "examples",
+    "extension",
     "helpers",
+    "hosts",
+    "kimi",
+    "lib",
+    "migrations",
+    "model-overlays",
+    "openclaw",
+    "opencode",
     "reference",
     "references",
-    "schemas",
+    "remotion-starter",
     "scripts",
-    "spreadsheets",
+    "sdk",
+    "schemas",
+    "src",
+    "specialists",
+    "supabase",
     "templates",
+    "test",
     "tests",
     "themes",
+    "vendor",
 ]);
-const ROOT_FILE_EXTENSIONS = [
+const ROOT_SUPPORT_FILES = new Set([
     ".env.example",
-    ".js",
-    ".json",
-    ".md",
-    ".py",
-    ".sh",
-    ".toml",
-    ".ts",
-    ".txt",
-    ".yaml",
-    ".yml",
-];
+    "ACKNOWLEDGEMENTS.md",
+    "CHANGELOG.md",
+    "LICENSE",
+    "LICENSE.md",
+    "LICENSE.txt",
+    "README.md",
+    "AGENTS.md",
+    "ARCHITECTURE.md",
+    "BROWSER.md",
+    "CLAUDE.md",
+    "CONTRIBUTING.md",
+    "DESIGN.md",
+    "ETHOS.md",
+    "PLAN-snapshot-dropdown-interactive.md",
+    "REMOTION_PROTOCOL.md",
+    "SKILL.md.tmpl",
+    "TODOS.md",
+    "TODOS-format.md",
+    "USING_GBRAIN_WITH_GSTACK.md",
+    "VERSION",
+    ".gitlab-ci.yml",
+    "actionlint.yaml",
+    "bun.lock",
+    "checklist.md",
+    "conductor.json",
+    "design-checklist.md",
+    "dx-hall-of-fame.md",
+    "editing.md",
+    "forms.md",
+    "instructions.md",
+    "nanobanana.py",
+    "package.json",
+    "plan.md",
+    "pptxgenjs.md",
+    "reference.md",
+    "requirements.txt",
+    "greptile-triage.md",
+    "setup",
+    "skill.md",
+    "slop-scan.config.json",
+    "style_guidelines.md",
+    "theme-showcase.pdf",
+]);
+const GENERATED_PACKAGE_DIRS = new Set([
+    ".cache",
+    ".git",
+    ".next",
+    ".pytest_cache",
+    "__pycache__",
+    "build",
+    "coverage",
+    "dist",
+    "fixtures",
+    "node_modules",
+    "out",
+]);
+const GENERATED_PACKAGE_FILES = new Set([".DS_Store"]);
+const GENERATED_PACKAGE_FILE_SUFFIXES = [".icns", ".log", ".mov", ".mp3", ".mp4", ".pyc", ".pyo", ".wav", ".webm"];
 const FD_PATH_ROOT = "/proc/self/fd";
-const PACKAGE_FILE_LIMIT = 100;
-const PACKAGE_TOTAL_BYTES_LIMIT = 1_000_000;
+const PACKAGE_FILE_LIMIT = 1000;
+const PACKAGE_TOTAL_BYTES_LIMIT = 8_000_000;
 const PACKAGE_FILE_BYTES_LIMIT = 500_000;
 const BASE64_RE = /^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$/;
-function hasStructuredPath(skill) {
-    return Boolean(skill.library_slug || skill.folder);
-}
-function dedupeSyncSkills(skills) {
-    const structuredSlugs = new Set();
-    for (const skill of skills) {
-        if (hasStructuredPath(skill))
-            structuredSlugs.add(skill.slug);
-    }
-    return skills.filter((skill) => !structuredSlugs.has(skill.slug) || hasStructuredPath(skill));
-}
 async function localState(path) {
     try {
         const handle = await open(path, constants.O_RDONLY | constants.O_NOFOLLOW);
@@ -203,7 +261,7 @@ function normalizePackageFilePath(path) {
     const segments = path.split("/").filter(Boolean);
     if (segments.length === 1 && segments[0] === "SKILL.md")
         return "SKILL.md";
-    if (segments.length === 1 && isAllowedRootPackageFile(segments[0] ?? ""))
+    if (segments.length === 1 && ROOT_SUPPORT_FILES.has(segments[0] ?? ""))
         return segments[0] ?? "";
     const first = segments[0];
     if (segments.length < 2 || first === undefined || !SUPPORT_DIRS.has(first)) {
@@ -212,13 +270,18 @@ function normalizePackageFilePath(path) {
     if (segments.some((segment) => segment === "." || segment === ".." || !PACKAGE_FILE_SEGMENT_RE.test(segment))) {
         throw new Error("Invalid package file path");
     }
+    if (segments.some((segment, index) => {
+        const isLast = index === segments.length - 1;
+        if (!isLast && GENERATED_PACKAGE_DIRS.has(segment))
+            return true;
+        if (GENERATED_PACKAGE_FILES.has(segment))
+            return true;
+        return isLast && GENERATED_PACKAGE_FILE_SUFFIXES.some((suffix) => segment.endsWith(suffix));
+    })) {
+        throw new Error("Generated package artifacts are not allowed");
+    }
     return segments.join("/");
 }
-function isAllowedRootPackageFile(name) {
-    if (!name || (name.startsWith(".") && name !== ".env.example"))
-        return false;
-    return ROOT_FILE_EXTENSIONS.some((ext) => name.toLowerCase().endsWith(ext));
-}
 async function planPackageSync(root, files, manifest) {
     let missing = 0;
     let unchanged = 0;
@@ -247,8 +310,12 @@ async function planPackageSync(root, files, manifest) {
             missing += 1;
             continue;
         }
-        if (!tracked)
-            return { kind: "conflict", target: file.target, reason: "existing file is not tracked by Floom sync" };
+        if (!tracked) {
+            if (state.hash !== file.hash)
+                return { kind: "conflict", target: file.target, reason: "existing file is not tracked by Floom sync" };
+            unchanged += 1;
+            continue;
+        }
         if (state.hash !== tracked.hash)
             return { kind: "conflict", target: file.target, reason: "local file changed since the last Floom sync" };
         if (state.hash !== file.hash)
@@ -291,29 +358,21 @@ export async function autoSync(log = (message) => process.stderr.write(`${messag
     return await withSyncLock(async () => {
         const manifest = await readSyncManifest();
         const root = skillsDir();
-        let activeCfg = cfg;
-        const apiUrl = apiUrlFromConfig(activeCfg);
+        const apiUrl = apiUrlFromConfig(cfg);
         let response;
         try {
-            response = await getJsonWithEtag(`${apiUrl}/api/v1/me/skills`, activeCfg.accessToken, cachedEtag, signal);
+            response = await getJsonWithEtag(`${apiUrl}/api/v1/me/skills`, cfg.accessToken, cachedEtag, signal);
         }
         catch (err) {
             if (err instanceof FloomApiError && err.status === 401) {
-                const refreshed = await refreshConfig(activeCfg);
-                if (!refreshed) {
-                    maybeAuthWarning(log, "[floom] sign-in expired; skipping sync (run `npx -y @floomhq/floom login` again)");
-                    return { synced: 0, unchanged: 0, updated: 0, conflicts: 0 };
-                }
-                activeCfg = refreshed;
-                response = await getJsonWithEtag(`${apiUrl}/api/v1/me/skills`, activeCfg.accessToken, cachedEtag, signal);
-            }
-            else {
-                throw err;
+                maybeAuthWarning(log, "[floom] sign-in expired; skipping sync (run `npx -y @floomhq/floom login` again)");
+                return { synced: 0, unchanged: 0, updated: 0, conflicts: 0 };
             }
+            throw err;
         }
         if (response.status === 304) {
             if (await manifestHasMissingTrackedFile(manifest, root)) {
-                response = await getJsonWithEtag(`${apiUrl}/api/v1/me/skills`, activeCfg.accessToken, null, signal);
+                response = await getJsonWithEtag(`${apiUrl}/api/v1/me/skills`, cfg.accessToken, null, signal);
             }
             else {
                 maybeHeartbeat(log);
@@ -336,12 +395,9 @@ export async function autoSync(log = (message) => process.stderr.write(`${messag
         }
         for (const skill of payload.skills)
             validateSyncSkillShape(skill);
-        // Version 1 receives published, saved, and subscribed library skills through
-        // the single /me/skills response. If a slug appears both at top level and in
-        // a library/folder placement, keep only the structured placement so agents do
-        // not see duplicate native packages.
+        // Version 1 preview syncs owned published skills only.
         const buckets = [
-            { skills: dedupeSyncSkills(payload.skills), defaultLib: null },
+            { skills: payload.skills, defaultLib: null },
         ];
         let unchanged = 0;
         let updated = 0;
@@ -395,6 +451,9 @@ export async function autoSync(log = (message) => process.stderr.write(`${messag
                     continue;
                 }
                 if (plan.kind === "unchanged") {
+                    for (const file of packageFiles)
+                        markSynced(manifest, manifestKey(root, file.target), skill.slug, file.hash);
+                    await writeSyncManifest(manifest);
                     unchanged += 1;
                     continue;
                 }
@@ -473,7 +532,7 @@ export async function autoSync(log = (message) => process.stderr.write(`${messag
             if (updated > 0) {
                 // Activation telemetry counts syncs that write new content. Best-effort;
                 // never blocks or throws.
-                void emitSyncCompleted(apiUrl, activeCfg.accessToken, { total, updated, unchanged }, signal).catch(() => { });
+                void emitSyncCompleted(apiUrl, cfg.accessToken, { total, updated, unchanged }, signal).catch(() => { });
             }
         }
         else if (conflicts > 0) {

package/dist/lib/api.js

@@ -6,53 +6,6 @@ export class FloomApiError extends Error {
         this.name = "FloomApiError";
     }
 }
-export const DEFAULT_TIMEOUT_MS = 15_000;
-function withTimeout(signal) {
-    const controller = new AbortController();
-    const timeoutMs = requestTimeoutMs();
-    const timer = setTimeout(() => controller.abort(), timeoutMs);
-    const abort = () => controller.abort();
-    signal?.addEventListener("abort", abort, { once: true });
-    if (signal?.aborted)
-        controller.abort();
-    const aborted = new Promise((_, reject) => {
-        controller.signal.addEventListener("abort", () => {
-            reject(new FloomApiError(408, "Request timed out while contacting Floom."));
-        }, { once: true });
-    });
-    return {
-        signal: controller.signal,
-        aborted,
-        cleanup: () => {
-            clearTimeout(timer);
-            signal?.removeEventListener("abort", abort);
-        },
-    };
-}
-function requestTimeoutMs() {
-    const fromEnv = Number(process.env.FLOOM_REQUEST_TIMEOUT_MS);
-    if (Number.isFinite(fromEnv) && fromEnv > 0)
-        return fromEnv;
-    return DEFAULT_TIMEOUT_MS;
-}
-async function fetchWithTimeout(url, init, signal) {
-    const timeout = withTimeout(signal);
-    try {
-        return await Promise.race([
-            fetch(url, { ...init, signal: timeout.signal }),
-            timeout.aborted,
-        ]);
-    }
-    catch (err) {
-        if (err.name === "AbortError") {
-            throw new FloomApiError(408, "Request timed out while contacting Floom.");
-        }
-        throw err;
-    }
-    finally {
-        timeout.cleanup();
-    }
-}
 async function readError(res) {
     const text = await res.text();
     if (!text)
@@ -71,7 +24,10 @@ export async function getJson(url, token, signal) {
     const headers = {};
     if (token)
         headers.authorization = `Bearer ${token}`;
-    const res = await fetchWithTimeout(url, { headers }, signal);
+    const init = { headers };
+    if (signal)
+        init.signal = signal;
+    const res = await fetch(url, init);
     if (!res.ok)
         throw new FloomApiError(res.status, await readError(res));
     return (await res.json());
@@ -84,7 +40,10 @@ export async function getJsonWithEtag(url, token, etag, signal) {
     const headers = { authorization: `Bearer ${token}` };
     if (etag)
         headers["if-none-match"] = etag;
-    const res = await fetchWithTimeout(url, { headers }, signal);
+    const init = { headers };
+    if (signal)
+        init.signal = signal;
+    const res = await fetch(url, init);
     const responseEtag = res.headers.get("etag");
     if (res.status === 304) {
         return { status: 304, body: null, etag: responseEtag ?? etag };
@@ -95,7 +54,10 @@ export async function getJsonWithEtag(url, token, etag, signal) {
     return { status: res.status, body, etag: responseEtag };
 }
 export async function getText(url, signal) {
-    const res = await fetchWithTimeout(url, {}, signal);
+    const init = {};
+    if (signal)
+        init.signal = signal;
+    const res = await fetch(url, init);
     if (!res.ok)
         throw new FloomApiError(res.status, await readError(res));
     return res.text();
@@ -109,7 +71,9 @@ export async function postJson(url, token, body, signal) {
         },
         body: JSON.stringify(body),
     };
-    const res = await fetchWithTimeout(url, init, signal);
+    if (signal)
+        init.signal = signal;
+    const res = await fetch(url, init);
     if (!res.ok)
         throw new FloomApiError(res.status, await readError(res));
     return (await res.json());
@@ -123,7 +87,9 @@ export async function putJson(url, token, body, signal) {
         },
         body: JSON.stringify(body),
     };
-    const res = await fetchWithTimeout(url, init, signal);
+    if (signal)
+        init.signal = signal;
+    const res = await fetch(url, init);
     if (!res.ok)
         throw new FloomApiError(res.status, await readError(res));
     return (await res.json());
@@ -133,7 +99,9 @@ export async function deleteRequest(url, token, signal) {
         method: "DELETE",
         headers: { authorization: `Bearer ${token}` },
     };
-    const res = await fetchWithTimeout(url, init, signal);
+    if (signal)
+        init.signal = signal;
+    const res = await fetch(url, init);
     if (!res.ok)
         throw new FloomApiError(res.status, await readError(res));
     return (await res.json());

package/dist/lib/config.js

@@ -1,10 +1,8 @@
-import { chmod, mkdir, readFile, writeFile } from "node:fs/promises";
-import { dirname } from "node:path";
+import { readFile } from "node:fs/promises";
 import { configPath } from "./paths.js";
 export const DEFAULT_API_URL = "https://floom.dev";
-const REFRESH_SKEW_SECONDS = 5 * 60;
 export function apiUrlFromConfig(cfg) {
-    return (process.env.FLOOM_API_URL ?? cfg.apiUrl ?? DEFAULT_API_URL).replace(/\/$/, "");
+    return (cfg.apiUrl ?? process.env.FLOOM_API_URL ?? DEFAULT_API_URL).replace(/\/$/, "");
 }
 export async function readConfig() {
     try {
@@ -12,16 +10,13 @@ export async function readConfig() {
         const parsed = JSON.parse(raw);
         if (typeof parsed.accessToken !== "string" || parsed.accessToken.length === 0)
             return null;
-        const cfg = {
+        return {
             accessToken: parsed.accessToken,
             ...(typeof parsed.apiUrl === "string" ? { apiUrl: parsed.apiUrl } : {}),
             ...(typeof parsed.refreshToken === "string" ? { refreshToken: parsed.refreshToken } : {}),
             ...(typeof parsed.expiresAt === "number" ? { expiresAt: parsed.expiresAt } : {}),
             ...(typeof parsed.email === "string" || parsed.email === null ? { email: parsed.email } : {}),
         };
-        if (needsRefresh(cfg))
-            return refreshConfig(cfg);
-        return cfg;
     }
     catch (err) {
         if (err.code === "ENOENT")
@@ -29,53 +24,3 @@ export async function readConfig() {
         throw err;
     }
 }
-export function needsRefresh(cfg) {
-    if (!cfg.refreshToken)
-        return false;
-    return !Number.isFinite(cfg.expiresAt) || Number(cfg.expiresAt) <= Math.floor(Date.now() / 1000) + REFRESH_SKEW_SECONDS;
-}
-export async function refreshConfig(cfg) {
-    if (!cfg.refreshToken)
-        return cfg;
-    const apiUrl = apiUrlFromConfig(cfg);
-    let res;
-    try {
-        res = await fetch(`${apiUrl}/api/v1/auth/refresh`, {
-            method: "POST",
-            headers: { "content-type": "application/json" },
-            body: JSON.stringify({ refresh_token: cfg.refreshToken }),
-        });
-    }
-    catch {
-        return null;
-    }
-    if (!res.ok)
-        return null;
-    let data;
-    try {
-        data = await res.json();
-    }
-    catch {
-        return null;
-    }
-    if (typeof data.access_token !== "string" || typeof data.refresh_token !== "string")
-        return null;
-    const expiresAt = typeof data.expires_at === "number" && Number.isFinite(data.expires_at)
-        ? data.expires_at
-        : Math.floor(Date.now() / 1000) + (typeof data.expires_in === "number" && Number.isFinite(data.expires_in) ? data.expires_in : 3600);
-    const refreshed = {
-        apiUrl,
-        accessToken: data.access_token,
-        refreshToken: data.refresh_token,
-        expiresAt,
-        email: typeof data.email === "string" || data.email === null ? data.email : cfg.email ?? null,
-    };
-    await writeConfig(refreshed);
-    return refreshed;
-}
-async function writeConfig(cfg) {
-    const target = configPath();
-    await mkdir(dirname(target), { recursive: true, mode: 0o700 });
-    await writeFile(target, JSON.stringify(cfg, null, 2), { mode: 0o600 });
-    await chmod(target, 0o600);
-}

package/dist/lib/manifest.js

@@ -33,51 +33,13 @@ function isEntryForKey(key, value) {
 function isPackageFilePath(packagePath) {
     if (packagePath.length === 1 && packagePath[0] === "SKILL.md")
         return true;
-    if (packagePath.length === 1 && isAllowedRootPackageFile(packagePath[0] ?? ""))
-        return true;
     if (packagePath.length < 2)
         return false;
     const first = packagePath[0];
-    if (first === undefined || !SUPPORT_DIRS.has(first))
+    if (first === undefined || !["references", "examples", "scripts", "assets"].includes(first))
         return false;
     return packagePath.every((segment) => segment !== "." && segment !== ".." && segment.length > 0);
 }
-const SUPPORT_DIRS = new Set([
-    "agents",
-    "assets",
-    "canvas-fonts",
-    "checks",
-    "core",
-    "evidence",
-    "examples",
-    "helpers",
-    "reference",
-    "references",
-    "schemas",
-    "scripts",
-    "spreadsheets",
-    "templates",
-    "tests",
-    "themes",
-]);
-const ROOT_FILE_EXTENSIONS = [
-    ".env.example",
-    ".js",
-    ".json",
-    ".md",
-    ".py",
-    ".sh",
-    ".toml",
-    ".ts",
-    ".txt",
-    ".yaml",
-    ".yml",
-];
-function isAllowedRootPackageFile(name) {
-    if (!name || (name.startsWith(".") && name !== ".env.example"))
-        return false;
-    return ROOT_FILE_EXTENSIONS.some((ext) => name.toLowerCase().endsWith(ext));
-}
 export async function readSyncManifest() {
     try {
         await ensureSyncManifestDir();

package/dist/lib/paths.js

@@ -8,6 +8,9 @@ export function skillsDir() {
     return expandHome(process.env.FLOOM_SKILLS_DIR
         ?? process.env.CLAUDE_SKILLS_DIR
         ?? process.env.CODEX_SKILLS_DIR
+        ?? process.env.CURSOR_SKILLS_DIR
+        ?? process.env.OPENCODE_SKILLS_DIR
+        ?? process.env.KIMI_SKILLS_DIR
         ?? join(homedir(), ".claude", "skills"));
 }
 function expandHome(path) {

package/dist/server.js

@@ -5,7 +5,7 @@ import { autoSync } from "./auto-sync.js";
 import { getSkill } from "./tools/get.js";
 import { searchSkills } from "./tools/search.js";
 import { syncStatus } from "./tools/status.js";
-const SERVER_VERSION = "1.0.26";
+const SERVER_VERSION = "1.0.27";
 const DEFAULT_INTERVAL_MS = 60_000;
 const MIN_INTERVAL_MS = 10_000;
 const SEARCH_TYPES = new Set(["knowledge", "instruction", "workflow", "skill"]);
@@ -30,7 +30,7 @@ function abortAutoSync() {
 function usage() {
     return `
 floom-mcp-sync v${SERVER_VERSION}
-Floom MCP server for Version 1 sync.
+Floom MCP server for Version 1 preview sync.
 
 Usage
   floom-mcp-sync
@@ -49,6 +49,9 @@ Env
   FLOOM_SKILLS_DIR           Override the native skills directory.
   CLAUDE_SKILLS_DIR          Claude skills directory override.
   CODEX_SKILLS_DIR           Codex skills directory override.
+  CURSOR_SKILLS_DIR          Cursor skills directory override.
+  OPENCODE_SKILLS_DIR        OpenCode skills directory override.
+  KIMI_SKILLS_DIR            Kimi skills directory override.
   FLOOM_SYNC_INTERVAL_MS     Poll interval in milliseconds. Minimum: 10000.
 `.trimStart();
 }

package/dist/tools/get.js

@@ -6,37 +6,7 @@ const PACKAGE_FILE_LIMIT = 100;
 const PACKAGE_FILE_BYTES_LIMIT = 500_000;
 const PACKAGE_TOTAL_BYTES_LIMIT = 1_000_000;
 const PATH_SEGMENT_RE = /^[A-Za-z0-9._-]{1,128}$/;
-const SUPPORT_DIRS = new Set([
-    "agents",
-    "assets",
-    "canvas-fonts",
-    "checks",
-    "core",
-    "evidence",
-    "examples",
-    "helpers",
-    "reference",
-    "references",
-    "schemas",
-    "scripts",
-    "spreadsheets",
-    "templates",
-    "tests",
-    "themes",
-]);
-const ROOT_FILE_EXTENSIONS = [
-    ".env.example",
-    ".js",
-    ".json",
-    ".md",
-    ".py",
-    ".sh",
-    ".toml",
-    ".ts",
-    ".txt",
-    ".yaml",
-    ".yml",
-];
+const SUPPORT_DIRS = new Set(["references", "examples", "scripts", "assets"]);
 const SHA256_RE = /^[a-f0-9]{64}$/i;
 const BASE64_RE = /^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$/;
 export async function getSkill(slug) {
@@ -60,7 +30,7 @@ export async function getSkill(slug) {
         content: detail.body_md,
         package: {
             main: "SKILL.md",
-            supporting_dirs: Array.from(SUPPORT_DIRS),
+            supporting_dirs: ["references", "examples", "scripts", "assets"],
         },
         package_files: normalizePackageFiles(detail.package_files ?? detail.files),
     };
@@ -133,16 +103,9 @@ function isSafePackagePath(path) {
     if (!path || path.length > 512 || path.startsWith("/") || path.includes("\\") || path.includes("//"))
         return false;
     const segments = path.split("/");
-    if (segments.length === 1)
-        return isAllowedRootPackageFile(segments[0] ?? "") && PATH_SEGMENT_RE.test(segments[0] ?? "");
     if (segments.length < 2)
         return false;
     if (!SUPPORT_DIRS.has(segments[0] ?? ""))
         return false;
     return segments.every((segment) => PATH_SEGMENT_RE.test(segment) && segment !== "." && segment !== "..");
 }
-function isAllowedRootPackageFile(name) {
-    if (!name || (name.startsWith(".") && name !== ".env.example"))
-        return false;
-    return ROOT_FILE_EXTENSIONS.some((ext) => name.toLowerCase().endsWith(ext));
-}

package/dist/tools/install.js

@@ -0,0 +1,117 @@
+import { constants } from "node:fs";
+import { lstat, mkdir, open } from "node:fs/promises";
+import { createHash } from "node:crypto";
+import { basename, dirname, isAbsolute, join, relative, resolve, sep } from "node:path";
+import { apiUrlFromConfig, readConfig, DEFAULT_API_URL } from "../lib/config.js";
+import { getText } from "../lib/api.js";
+import { assertValidSlug } from "../lib/slug.js";
+import { skillPath, skillsDir } from "../lib/paths.js";
+const FD_PATH_ROOT = "/proc/self/fd";
+export async function installSkill(slug) {
+    assertValidSlug(slug);
+    const cfg = await readConfig();
+    const apiUrl = cfg ? apiUrlFromConfig(cfg) : (process.env.FLOOM_API_URL ?? DEFAULT_API_URL).replace(/\/$/, "");
+    const body = await getText(`${apiUrl}/s/${slug}.md`);
+    if (typeof body !== "string")
+        throw new Error("Invalid skill response");
+    const target = skillPath(slug);
+    const remoteHash = sha256(body);
+    const existing = await localHash(target);
+    if (existing !== null && existing !== remoteHash) {
+        throw new Error("Local skill already exists with different content");
+    }
+    if (existing === null)
+        await writeInstallFile(target, body);
+    return { slug, path: target, bytes: Buffer.byteLength(body) };
+}
+function sha256(input) {
+    return createHash("sha256").update(input).digest("hex");
+}
+async function localHash(path) {
+    try {
+        const handle = await open(path, constants.O_RDONLY | constants.O_NOFOLLOW);
+        try {
+            const stat = await handle.stat();
+            if (!stat.isFile())
+                throw new Error("path is blocked by an existing local file or directory");
+            return sha256(await handle.readFile("utf8"));
+        }
+        finally {
+            await handle.close();
+        }
+    }
+    catch (err) {
+        if (err.code === "ENOENT")
+            return null;
+        throw err;
+    }
+}
+async function writeInstallFile(target, body) {
+    const parent = await openSafeParentDirectory(skillsDir(), target);
+    let handle = null;
+    try {
+        handle = await open(childCreatePath(parent, dirname(target), basename(target)), constants.O_WRONLY | constants.O_CREAT | constants.O_EXCL | constants.O_NOFOLLOW, 0o600);
+        await writeAll(handle, body);
+    }
+    finally {
+        await handle?.close();
+        await parent.close();
+    }
+}
+async function openSafeParentDirectory(root, target) {
+    await ensureSafeParentDirectory(root, target);
+    return open(dirname(target), constants.O_RDONLY | constants.O_DIRECTORY | constants.O_NOFOLLOW);
+}
+function childCreatePath(parent, fallbackParent, name) {
+    if (process.platform === "linux")
+        return `${FD_PATH_ROOT}/${parent.fd}/${name}`;
+    return join(resolve(fallbackParent), name);
+}
+async function writeAll(handle, body) {
+    const buffer = Buffer.from(body, "utf8");
+    let offset = 0;
+    while (offset < buffer.length) {
+        const result = await handle.write(buffer, offset, buffer.length - offset, offset);
+        if (result.bytesWritten === 0)
+            throw new Error("failed to write local skill file");
+        offset += result.bytesWritten;
+    }
+}
+async function ensureSafeParentDirectory(root, target) {
+    const resolvedRoot = resolve(root);
+    const resolvedParent = resolve(dirname(target));
+    const relativeParent = relative(resolvedRoot, resolvedParent);
+    if (relativeParent === ".." || relativeParent.startsWith(`..${sep}`) || isAbsolute(relativeParent)) {
+        throw new Error("Invalid skill target path");
+    }
+    await mkdir(resolvedRoot, { recursive: true, mode: 0o700 });
+    await assertSafeDirectory(resolvedRoot);
+    if (!relativeParent || relativeParent === ".")
+        return;
+    let current = resolvedRoot;
+    for (const segment of relativeParent.split(sep).filter(Boolean)) {
+        current = join(current, segment);
+        try {
+            await assertSafeDirectory(current);
+        }
+        catch (err) {
+            if (err.code !== "ENOENT")
+                throw err;
+            await mkdir(current, { mode: 0o700 });
+            await assertSafeDirectory(current);
+        }
+    }
+}
+async function assertSafeDirectory(path) {
+    const stat = await lstat(path);
+    if (stat.isSymbolicLink()) {
+        const err = new Error("path contains a symbolic link");
+        err.code = "ELOOP";
+        throw err;
+    }
+    if (!stat.isDirectory()) {
+        const err = new Error("path is blocked by an existing local file or directory");
+        err.code = "ENOTDIR";
+        throw err;
+    }
+}

package/dist/tools/libraries.js

@@ -0,0 +1,28 @@
+import { apiUrlFromConfig, readConfig, DEFAULT_API_URL } from "../lib/config.js";
+import { deleteRequest, getJson, postJson, putJson } from "../lib/api.js";
+export async function listLibraries() {
+    const cfg = await readConfig();
+    const apiUrl = cfg ? apiUrlFromConfig(cfg) : (process.env.FLOOM_API_URL ?? DEFAULT_API_URL).replace(/\/$/, "");
+    return await getJson(`${apiUrl}/api/v1/libraries`, cfg?.accessToken);
+}
+export async function subscribeLibrary(slug) {
+    const cfg = await readConfig();
+    if (!cfg)
+        throw new Error("Not signed in. Run `npx -y @floomhq/floom login` first.");
+    const apiUrl = apiUrlFromConfig(cfg);
+    return await postJson(`${apiUrl}/api/v1/me/subscriptions`, cfg.accessToken, { library_slug: slug });
+}
+export async function unsubscribeLibrary(slug) {
+    const cfg = await readConfig();
+    if (!cfg)
+        throw new Error("Not signed in. Run `npx -y @floomhq/floom login` first.");
+    const apiUrl = apiUrlFromConfig(cfg);
+    return await deleteRequest(`${apiUrl}/api/v1/me/subscriptions/${encodeURIComponent(slug)}`, cfg.accessToken);
+}
+export async function moveSkill(slug, folder, tags) {
+    const cfg = await readConfig();
+    if (!cfg)
+        throw new Error("Not signed in. Run `npx -y @floomhq/floom login` first.");
+    const apiUrl = apiUrlFromConfig(cfg);
+    return await putJson(`${apiUrl}/api/v1/me/skills/${encodeURIComponent(slug)}/override`, cfg.accessToken, { folder, tags });
+}

package/dist/tools/publish.js

@@ -0,0 +1,24 @@
+import { apiUrlFromConfig, readConfig } from "../lib/config.js";
+import { postJson } from "../lib/api.js";
+export async function publishSkill(name, content, description, visibility = "unlisted", assetType = "skill", installsAs = "claude_skill", version) {
+    const cfg = await readConfig();
+    if (!cfg)
+        throw new Error("Not signed in. Run `npx -y @floomhq/floom login` first.");
+    const apiUrl = apiUrlFromConfig(cfg);
+    const data = await postJson(`${apiUrl}/api/skills`, cfg.accessToken, {
+        title: name,
+        description: description ?? null,
+        body_md: content,
+        visibility,
+        asset_type: assetType,
+        source: "markdown",
+        installs_as: installsAs,
+        version: version ?? null,
+        published_via: "mcp",
+    });
+    return {
+        slug: data.slug,
+        url: data.url ?? `${apiUrl}/s/${data.slug}.md`,
+        ...(data.version ? { version: data.version } : {}),
+    };
+}

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@floomhq/floom-mcp-sync",
-  "version": "1.0.26",
-  "description": "Lightweight Floom MCP server for search, on-demand skill fetch, status, and sync.",
+  "version": "1.0.27",
+  "description": "Lightweight Floom MCP server for installing, publishing, and startup-syncing skills.",
   "license": "MIT",
   "type": "module",
   "bin": {
@@ -9,12 +9,7 @@
   },
   "files": [
     "bin",
-    "dist/auto-sync.js",
-    "dist/lib",
-    "dist/server.js",
-    "dist/tools/get.js",
-    "dist/tools/search.js",
-    "dist/tools/status.js",
+    "dist",
     "README.md",
     "LICENSE"
   ],