@floomhq/floom 1.0.9 → 1.0.11

package/dist/cli.js

@@ -102,6 +102,7 @@ function commandUsage() {
                        ${c.dim("       From a repo, setup writes that repo's CLAUDE.md/AGENTS.md")}
      ${c.cyan("agent-prompt")}       Print the sentence to paste into your agent
                        ${c.dim("Alias: paste")}
+                       ${c.dim("Flags: --target claude|codex")}
      ${c.cyan("doctor")}             Troubleshoot auth, API, and local folders
                        ${c.dim("Flags: --json")}
 
@@ -130,6 +131,7 @@ function commandUsage() {
 }
 const ASSET_TYPES = new Set(["knowledge", "instruction", "workflow", "skill"]);
 const INIT_TEMPLATES = new Set(["generic", "brand-voice", "pr-review", "sales", "support", "onboarding"]);
+const MAX_SHARE_RECIPIENTS = 25;
 const INSTALL_TARGETS = new Set([
     "claude_skill",
     "memory",
@@ -206,8 +208,8 @@ function parseFlags(argv) {
     }
     if (out.shareEmails.length > 0) {
         out.shareEmails = dedupeEmails(out.shareEmails);
-        if (out.shareEmails.length > 200) {
-            throw new FloomError("Too many --share recipients.", "Use 200 email addresses or fewer.");
+        if (out.shareEmails.length > MAX_SHARE_RECIPIENTS) {
+            throw new FloomError("Too many --share recipients.", `Use ${MAX_SHARE_RECIPIENTS} email addresses or fewer.`);
         }
         if (out.visibility === "private") {
             throw new FloomError("`--private --share` would email a link recipients cannot open.", "Use `--unlisted --share` for invite emails, or `npx -y @floomhq/floom share <slug> --add <email>` for email-gated access after publishing.");
@@ -372,6 +374,27 @@ function parseDoctorArgs(argv) {
     }
     return out;
 }
+function parseAgentPromptArgs(argv) {
+    const out = {};
+    for (let i = 0; i < argv.length; i++) {
+        const a = argv[i] ?? "";
+        if (a === "--target" || a.startsWith("--target=")) {
+            const { value, nextIndex } = readFlagValue(argv, i, "--target");
+            if (value !== "claude" && value !== "codex") {
+                throw new FloomError("Invalid --target.", "Use `claude` or `codex`.");
+            }
+            out.target = value;
+            i = nextIndex;
+        }
+        else if (a.startsWith("--")) {
+            throw new FloomError(`Unknown flag: ${a}`, "Try `npx -y @floomhq/floom agent-prompt --target codex`.");
+        }
+        else {
+            throw new FloomError(`Unexpected argument: ${a}`, "Try `npx -y @floomhq/floom agent-prompt --target codex`.");
+        }
+    }
+    return out;
+}
 function parseSearchFlags(argv) {
     const out = { json: false };
     const terms = [];
@@ -636,8 +659,9 @@ function parseSingleFileArg(argv, usageHint) {
         throw new FloomError("Missing file argument.", usageHint);
     return file;
 }
-function agentPrompt() {
-    process.stdout.write("Use my installed Floom skills when they fit the task. Search ~/.claude/skills first.\n");
+function agentPrompt(target = "claude") {
+    const folder = target === "codex" ? "~/.codex/skills" : "~/.claude/skills";
+    process.stdout.write(`Use my installed Floom skills when they fit the task. Search ${folder} first.\n`);
 }
 function sleep(ms, signal) {
     if (signal.aborted)
@@ -829,10 +853,11 @@ async function main() {
                 return;
             }
             case "agent-prompt":
-            case "paste":
-                rejectArgs(rest, "Try `npx -y @floomhq/floom agent-prompt`.");
-                agentPrompt();
+            case "paste": {
+                const flags = parseAgentPromptArgs(rest);
+                agentPrompt(flags.target ?? "claude");
                 return;
+            }
             case "watch": {
                 const flags = parseWatchFlags(rest);
                 await watch(flags.intervalSeconds);

package/dist/login.js

@@ -1,4 +1,5 @@
 import { createServer } from "node:http";
+import { randomBytes } from "node:crypto";
 import open from "open";
 import ora from "ora";
 import { getApiUrl, writeConfig } from "./config.js";
@@ -59,6 +60,7 @@ export async function login() {
 function waitForCallback() {
     return new Promise((resolve, reject) => {
         const apiUrl = getApiUrl();
+        const state = randomBytes(24).toString("base64url");
         let settled = false;
         let retriedEphemeralPort = false;
         const server = createServer((req, res) => {
@@ -90,6 +92,15 @@ function waitForCallback() {
                             res.end(localCallbackPage("Missing tokens from OAuth response."));
                             return;
                         }
+                        if (data.state !== state) {
+                            res.writeHead(400, {
+                                "access-control-allow-origin": origin,
+                                "access-control-allow-private-network": "true",
+                                "content-type": "text/html; charset=utf-8",
+                            });
+                            res.end(localCallbackPage("Invalid OAuth state."));
+                            return;
+                        }
                         res.writeHead(200, {
                             "access-control-allow-origin": origin,
                             "access-control-allow-private-network": "true",
@@ -143,7 +154,7 @@ function waitForCallback() {
                 return;
             }
             const port = address.port;
-            const target = `${apiUrl}/auth/cli?port=${port}`;
+            const target = `${apiUrl}/auth/cli?port=${port}&state=${encodeURIComponent(state)}`;
             open(target).catch((e) => {
                 const msg = e instanceof Error ? e.message : String(e);
                 process.stdout.write(c.yellow(`Could not auto-open browser (${msg}).\n`) +
@@ -157,7 +168,7 @@ function parseCallbackBody(body, contentType) {
     if (type.includes("application/x-www-form-urlencoded")) {
         const params = new URLSearchParams(body);
         const parsed = {};
-        for (const key of ["access_token", "refresh_token", "expires_in", "token_type"]) {
+        for (const key of ["access_token", "refresh_token", "expires_in", "token_type", "state"]) {
             const value = params.get(key);
             if (value)
                 parsed[key] = value;

package/dist/secrets.js

@@ -37,8 +37,11 @@ const PROMPT_INJECTION_PATTERNS = [
 ];
 const DATA_EXFILTRATION_PATTERNS = [
     { label: "Data exfiltration instruction", regex: /\b(?:send|post|upload|exfiltrate|copy) (?:[^.\n]{0,80})\b(?:api keys?|tokens?|secrets?|environment variables|\.env|credentials)\b(?:[^.\n]{0,120})\b(?:to|into) https?:\/\//gi },
+    { label: "Data exfiltration instruction", regex: /\b(?:send|post|upload|exfiltrate|copy)\b[^.\n]{0,120}(?:~\/\.ssh\/[A-Za-z0-9_.-]+|id_rsa|id_ed25519|ssh keys?|private keys?|secret files?)\b[^.\n]{0,120}\b(?:to|into) https?:\/\//gi },
     { label: "Data exfiltration instruction", regex: /\b(?:curl|wget|fetch)\b[^\n]{0,160}\b(?:api keys?|tokens?|secrets?|environment variables|\.env|credentials)\b/gi },
+    { label: "Data exfiltration instruction", regex: /\b(?:curl|wget|fetch)\b[^\n]{0,160}(?:~\/\.ssh\/[A-Za-z0-9_.-]+|id_rsa|id_ed25519|ssh keys?|private keys?|secret files?)\b/gi },
     { label: "Credential harvesting instruction", regex: /\b(?:collect|harvest|steal|extract) (?:[^.\n]{0,80})\b(?:api keys?|tokens?|secrets?|environment variables|\.env|credentials)\b/gi },
+    { label: "Credential harvesting instruction", regex: /\b(?:collect|harvest|steal|extract)\b[^.\n]{0,120}(?:~\/\.ssh\/[A-Za-z0-9_.-]+|id_rsa|id_ed25519|ssh keys?|private keys?|secret files?)\b/gi },
 ];
 function redact(value) {
     if (value.length <= 12)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@floomhq/floom",
-  "version": "1.0.9",
+  "version": "1.0.11",
   "description": "Publish AI skills from your terminal. Share with a link.",
   "license": "MIT",
   "type": "module",