@floomhq/floom 1.0.23 → 1.0.25

package/dist/login.js

@@ -151,6 +151,11 @@ function waitForCallback(port, provider) {
                 });
                 return;
             }
+            if (req.method === "GET" && req.url?.startsWith("/cli-callback")) {
+                res.writeHead(200, { "content-type": "text/html; charset=utf-8" });
+                res.end(localCallbackBridgePage());
+                return;
+            }
             res.writeHead(404, { "content-type": "text/plain" });
             res.end("Not found");
         });
@@ -197,6 +202,47 @@ function parseCallbackBody(body, contentType) {
     }
     return JSON.parse(body);
 }
+function localCallbackBridgePage() {
+    return `<!doctype html>
+<html lang="en">
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <title>Floom CLI sign-in</title>
+</head>
+<body>
+  <p>Completing Floom CLI sign-in...</p>
+  <script>
+    (async function () {
+      try {
+        var params = new URLSearchParams(window.location.hash.slice(1));
+        if (!params.get("access_token") || !params.get("refresh_token")) {
+          document.body.textContent = "OAuth response missing tokens.";
+          return;
+        }
+        var body = new URLSearchParams();
+        ["access_token", "refresh_token", "expires_in", "token_type", "state"].forEach(function (key) {
+          var value = params.get(key);
+          if (value) body.set(key, value);
+        });
+        window.history.replaceState(null, "", window.location.pathname);
+        var res = await fetch("/cli-callback", {
+          method: "POST",
+          headers: { "content-type": "application/x-www-form-urlencoded" },
+          body: body.toString()
+        });
+        var html = await res.text();
+        document.open();
+        document.write(html);
+        document.close();
+      } catch (e) {
+        document.body.textContent = "Could not complete Floom CLI sign-in. Return to your terminal and run floom login again.";
+      }
+    })();
+  </script>
+</body>
+</html>`;
+}
 function localCallbackPage(message) {
     const safeMessage = escapeHtml(message);
     return `<!doctype html>

package/dist/package.js

@@ -5,8 +5,39 @@ import { execFile as execFileCb } from "node:child_process";
 import { promisify } from "node:util";
 import { basename, dirname, isAbsolute, join, relative, resolve, sep } from "node:path";
 import { FloomError } from "./errors.js";
-const ALLOWED_PACKAGE_DIRS = new Set(["references", "examples", "scripts", "assets"]);
+const ALLOWED_PACKAGE_DIRS = new Set([
+    "agents",
+    "assets",
+    "canvas-fonts",
+    "checks",
+    "core",
+    "evidence",
+    "examples",
+    "helpers",
+    "reference",
+    "references",
+    "schemas",
+    "scripts",
+    "spreadsheets",
+    "templates",
+    "tests",
+    "themes",
+]);
 const ALLOWED_PACKAGE_ROOT_FILES = new Set(["SKILL.md", ".gitignore"]);
+const IGNORED_PACKAGE_ROOT_ENTRIES = new Set([".DS_Store", ".git", ".pytest_cache"]);
+const ALLOWED_PACKAGE_ROOT_EXTENSIONS = new Set([
+    ".env.example",
+    ".js",
+    ".json",
+    ".md",
+    ".py",
+    ".sh",
+    ".toml",
+    ".ts",
+    ".txt",
+    ".yaml",
+    ".yml",
+]);
 const PACKAGE_FILE_LIMIT = 100;
 const PACKAGE_TOTAL_BYTES_LIMIT = 1_000_000;
 const PACKAGE_FILE_BYTES_LIMIT = 500_000;
@@ -95,11 +126,38 @@ async function collectPackageFiles(root) {
     const isIgnored = gitIgnoreChecker(root);
     const rootEntries = await readdir(root, { withFileTypes: true });
     for (const entry of rootEntries) {
-        if (ALLOWED_PACKAGE_ROOT_FILES.has(entry.name) || ALLOWED_PACKAGE_DIRS.has(entry.name))
-            continue;
         if (await isIgnored(entry.name))
             continue;
-        const hint = "Move supporting files under references/, examples/, scripts/, or assets/.";
+        if (IGNORED_PACKAGE_ROOT_ENTRIES.has(entry.name))
+            continue;
+        if (ALLOWED_PACKAGE_ROOT_FILES.has(entry.name))
+            continue;
+        if (entry.isDirectory() && ALLOWED_PACKAGE_DIRS.has(entry.name))
+            continue;
+        if (entry.isFile() && isAllowedRootPackageFile(entry.name)) {
+            const rel = entry.name;
+            validatePackageRelativePath(rel);
+            const fullPath = join(root, entry.name);
+            const stat = await lstat(fullPath);
+            if (files.length >= PACKAGE_FILE_LIMIT) {
+                throw new FloomError("Skill package has too many files.", "A skill package is capped at 100 supporting files.");
+            }
+            if (stat.size > PACKAGE_FILE_BYTES_LIMIT) {
+                throw new FloomError(`File too large: ${rel}`, "Each package file is capped at 500KB.");
+            }
+            totalBytes += stat.size;
+            ensurePackageSize(totalBytes);
+            const bytes = await readFile(fullPath);
+            files.push({
+                path: rel,
+                content_base64: bytes.toString("base64"),
+                encoding: "base64",
+                size_bytes: bytes.length,
+                sha256: sha256Bytes(bytes),
+            });
+            continue;
+        }
+        const hint = `Move supporting files under one of: ${Array.from(ALLOWED_PACKAGE_DIRS).sort().join(", ")}.`;
         throw new FloomError(`Unsupported root package entry: ${entry.name}`, hint);
     }
     for (const dirName of ALLOWED_PACKAGE_DIRS) {
@@ -121,13 +179,22 @@ async function collectPackageFiles(root) {
             throw new FloomError(`Package entry must be a directory: ${dirName}`);
         await collectDir(root, dirPath, files, isIgnored, (size) => {
             totalBytes += size;
-            if (totalBytes > PACKAGE_TOTAL_BYTES_LIMIT) {
-                throw new FloomError("Skill package is too large.", "A skill package is capped at 1MB total.");
-            }
+            ensurePackageSize(totalBytes);
         });
     }
     return files.sort((a, b) => a.path.localeCompare(b.path));
 }
+function isAllowedRootPackageFile(name) {
+    if (name.startsWith(".") && name !== ".env.example")
+        return false;
+    const lower = name.toLowerCase();
+    return Array.from(ALLOWED_PACKAGE_ROOT_EXTENSIONS).some((ext) => lower.endsWith(ext));
+}
+function ensurePackageSize(totalBytes) {
+    if (totalBytes > PACKAGE_TOTAL_BYTES_LIMIT) {
+        throw new FloomError("Skill package is too large.", "A skill package is capped at 1MB total.");
+    }
+}
 async function collectDir(root, dir, files, isIgnored, addBytes) {
     const entries = await readdir(dir, { withFileTypes: true });
     for (const entry of entries) {
@@ -237,8 +304,11 @@ export function validatePackageRelativePath(path) {
         throw new FloomError(`Invalid package file path: ${path}`);
     }
     const segments = path.split("/");
-    if (segments.length < 2 || !ALLOWED_PACKAGE_DIRS.has(segments[0] ?? "")) {
-        throw new FloomError(`Invalid package file path: ${path}`, "Package files must be under references/, examples/, scripts/, or assets/.");
+    if (segments.length === 1 && !isAllowedRootPackageFile(segments[0] ?? "")) {
+        throw new FloomError(`Invalid package file path: ${path}`, "Root package files must be safe text files such as .md, .txt, .json, .yaml, .toml, .py, .sh, .js, or .ts.");
+    }
+    if (segments.length > 1 && !ALLOWED_PACKAGE_DIRS.has(segments[0] ?? "")) {
+        throw new FloomError(`Invalid package file path: ${path}`, `Package files must be root text files or live under one of: ${Array.from(ALLOWED_PACKAGE_DIRS).sort().join(", ")}.`);
     }
     if (segments.some((segment) => segment === "." || segment === ".." || !PACKAGE_SEGMENT_RE.test(segment))) {
         throw new FloomError(`Invalid package file path: ${path}`);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@floomhq/floom",
-  "version": "1.0.23",
+  "version": "1.0.25",
   "description": "Sync AI skills across agents and machines.",
   "license": "MIT",
   "type": "module",