@floomhq/floom 1.0.24 → 1.0.25

package/dist/package.js

@@ -5,8 +5,39 @@ import { execFile as execFileCb } from "node:child_process";
 import { promisify } from "node:util";
 import { basename, dirname, isAbsolute, join, relative, resolve, sep } from "node:path";
 import { FloomError } from "./errors.js";
-const ALLOWED_PACKAGE_DIRS = new Set(["references", "examples", "scripts", "assets"]);
+const ALLOWED_PACKAGE_DIRS = new Set([
+    "agents",
+    "assets",
+    "canvas-fonts",
+    "checks",
+    "core",
+    "evidence",
+    "examples",
+    "helpers",
+    "reference",
+    "references",
+    "schemas",
+    "scripts",
+    "spreadsheets",
+    "templates",
+    "tests",
+    "themes",
+]);
 const ALLOWED_PACKAGE_ROOT_FILES = new Set(["SKILL.md", ".gitignore"]);
+const IGNORED_PACKAGE_ROOT_ENTRIES = new Set([".DS_Store", ".git", ".pytest_cache"]);
+const ALLOWED_PACKAGE_ROOT_EXTENSIONS = new Set([
+    ".env.example",
+    ".js",
+    ".json",
+    ".md",
+    ".py",
+    ".sh",
+    ".toml",
+    ".ts",
+    ".txt",
+    ".yaml",
+    ".yml",
+]);
 const PACKAGE_FILE_LIMIT = 100;
 const PACKAGE_TOTAL_BYTES_LIMIT = 1_000_000;
 const PACKAGE_FILE_BYTES_LIMIT = 500_000;
@@ -95,11 +126,38 @@ async function collectPackageFiles(root) {
     const isIgnored = gitIgnoreChecker(root);
     const rootEntries = await readdir(root, { withFileTypes: true });
     for (const entry of rootEntries) {
-        if (ALLOWED_PACKAGE_ROOT_FILES.has(entry.name) || ALLOWED_PACKAGE_DIRS.has(entry.name))
-            continue;
         if (await isIgnored(entry.name))
             continue;
-        const hint = "Move supporting files under references/, examples/, scripts/, or assets/.";
+        if (IGNORED_PACKAGE_ROOT_ENTRIES.has(entry.name))
+            continue;
+        if (ALLOWED_PACKAGE_ROOT_FILES.has(entry.name))
+            continue;
+        if (entry.isDirectory() && ALLOWED_PACKAGE_DIRS.has(entry.name))
+            continue;
+        if (entry.isFile() && isAllowedRootPackageFile(entry.name)) {
+            const rel = entry.name;
+            validatePackageRelativePath(rel);
+            const fullPath = join(root, entry.name);
+            const stat = await lstat(fullPath);
+            if (files.length >= PACKAGE_FILE_LIMIT) {
+                throw new FloomError("Skill package has too many files.", "A skill package is capped at 100 supporting files.");
+            }
+            if (stat.size > PACKAGE_FILE_BYTES_LIMIT) {
+                throw new FloomError(`File too large: ${rel}`, "Each package file is capped at 500KB.");
+            }
+            totalBytes += stat.size;
+            ensurePackageSize(totalBytes);
+            const bytes = await readFile(fullPath);
+            files.push({
+                path: rel,
+                content_base64: bytes.toString("base64"),
+                encoding: "base64",
+                size_bytes: bytes.length,
+                sha256: sha256Bytes(bytes),
+            });
+            continue;
+        }
+        const hint = `Move supporting files under one of: ${Array.from(ALLOWED_PACKAGE_DIRS).sort().join(", ")}.`;
         throw new FloomError(`Unsupported root package entry: ${entry.name}`, hint);
     }
     for (const dirName of ALLOWED_PACKAGE_DIRS) {
@@ -121,13 +179,22 @@ async function collectPackageFiles(root) {
             throw new FloomError(`Package entry must be a directory: ${dirName}`);
         await collectDir(root, dirPath, files, isIgnored, (size) => {
             totalBytes += size;
-            if (totalBytes > PACKAGE_TOTAL_BYTES_LIMIT) {
-                throw new FloomError("Skill package is too large.", "A skill package is capped at 1MB total.");
-            }
+            ensurePackageSize(totalBytes);
         });
     }
     return files.sort((a, b) => a.path.localeCompare(b.path));
 }
+function isAllowedRootPackageFile(name) {
+    if (name.startsWith(".") && name !== ".env.example")
+        return false;
+    const lower = name.toLowerCase();
+    return Array.from(ALLOWED_PACKAGE_ROOT_EXTENSIONS).some((ext) => lower.endsWith(ext));
+}
+function ensurePackageSize(totalBytes) {
+    if (totalBytes > PACKAGE_TOTAL_BYTES_LIMIT) {
+        throw new FloomError("Skill package is too large.", "A skill package is capped at 1MB total.");
+    }
+}
 async function collectDir(root, dir, files, isIgnored, addBytes) {
     const entries = await readdir(dir, { withFileTypes: true });
     for (const entry of entries) {
@@ -237,8 +304,11 @@ export function validatePackageRelativePath(path) {
         throw new FloomError(`Invalid package file path: ${path}`);
     }
     const segments = path.split("/");
-    if (segments.length < 2 || !ALLOWED_PACKAGE_DIRS.has(segments[0] ?? "")) {
-        throw new FloomError(`Invalid package file path: ${path}`, "Package files must be under references/, examples/, scripts/, or assets/.");
+    if (segments.length === 1 && !isAllowedRootPackageFile(segments[0] ?? "")) {
+        throw new FloomError(`Invalid package file path: ${path}`, "Root package files must be safe text files such as .md, .txt, .json, .yaml, .toml, .py, .sh, .js, or .ts.");
+    }
+    if (segments.length > 1 && !ALLOWED_PACKAGE_DIRS.has(segments[0] ?? "")) {
+        throw new FloomError(`Invalid package file path: ${path}`, `Package files must be root text files or live under one of: ${Array.from(ALLOWED_PACKAGE_DIRS).sort().join(", ")}.`);
     }
     if (segments.some((segment) => segment === "." || segment === ".." || !PACKAGE_SEGMENT_RE.test(segment))) {
         throw new FloomError(`Invalid package file path: ${path}`);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@floomhq/floom",
-  "version": "1.0.24",
+  "version": "1.0.25",
   "description": "Sync AI skills across agents and machines.",
   "license": "MIT",
   "type": "module",