@floomhq/skills 0.2.0 → 0.2.2

package/src/commands/login.ts

@@ -1,77 +0,0 @@
-import open from "node:child_process";
-import { exec } from "node:child_process";
-import { promisify } from "node:util";
-import { api } from "../api-client.js";
-import { getApiUrl, writeAuth } from "../config.js";
-import { log } from "../lib/output.js";
-
-const sh = promisify(exec);
-
-interface CreateSessionResponse {
-  session_id: string;
-  device_code: string;
-  user_code: string;
-  verification_uri: string;
-  expires_at: string;
-  poll_interval_seconds: number;
-}
-
-interface PollSessionResponse {
-  status: "pending" | "approved" | "expired" | "denied";
-  token?: string;
-  handle?: string;
-  email?: string;
-}
-
-async function openInBrowser(url: string): Promise<void> {
-  const opener = process.platform === "darwin" ? "open" : process.platform === "win32" ? "start" : "xdg-open";
-  try { await sh(`${opener} ${JSON.stringify(url)}`); } catch { /* user can copy-paste */ }
-}
-
-export async function loginCommand(): Promise<void> {
-  log.heading("Starting CLI login...");
-  const session = await api<CreateSessionResponse>("/cli/sessions", {
-    method: "POST",
-    body: { client: "floom-cli", version: "0.0.1" },
-  });
-
-  log.info("");
-  log.info(`Open this URL in your browser:`);
-  log.info(`  ${session.verification_uri}`);
-  log.info("");
-  log.info(`Your code: ${session.user_code}`);
-  log.info("");
-
-  openInBrowser(session.verification_uri).catch(() => {});
-
-  const start = Date.now();
-  const deadline = new Date(session.expires_at).getTime();
-  const interval = Math.max(2, session.poll_interval_seconds) * 1000;
-
-  while (Date.now() < deadline) {
-    await new Promise((r) => setTimeout(r, interval));
-    const pollPath = `/cli/sessions/${session.session_id}?device_code=${encodeURIComponent(session.device_code)}`;
-    const poll = await api<PollSessionResponse>(pollPath);
-    if (poll.status === "approved" && poll.token && poll.handle && poll.email) {
-      await writeAuth({
-        token: poll.token,
-        handle: poll.handle,
-        email: poll.email,
-        apiUrl: getApiUrl(),
-      });
-      log.ok(`Logged in as @${poll.handle} (${poll.email})`);
-      return;
-    }
-    if (poll.status === "denied") {
-      log.err("Login denied.");
-      process.exit(1);
-    }
-    if (poll.status === "expired") {
-      log.err("Login session expired. Run `floom login` again.");
-      process.exit(1);
-    }
-    process.stdout.write(".");
-  }
-  log.err("Login timed out.");
-  process.exit(1);
-}

package/src/commands/logout.ts

@@ -1,18 +0,0 @@
-import { clearAuth, readAuth } from "../config.js";
-import { api } from "../api-client.js";
-import { log } from "../lib/output.js";
-
-export async function logoutCommand(): Promise<void> {
-  const auth = await readAuth();
-  if (!auth) {
-    log.info("Not logged in.");
-    return;
-  }
-  try {
-    await api("/cli/sessions/revoke", { method: "POST", authRequired: true });
-  } catch {
-    // best effort; we still clear local token
-  }
-  await clearAuth();
-  log.ok("Logged out.");
-}

package/src/commands/outdated.ts

@@ -1,57 +0,0 @@
-import { api } from "../api-client.js";
-import { readLock } from "../lib/floom-lock.js";
-import { log } from "../lib/output.js";
-
-interface SkillInfo {
-  ref: string;
-  latest_version: string;
-}
-
-function cmpSemver(a: string, b: string): number {
-  const pa = a.split(".").map((p) => parseInt(p, 10));
-  const pb = b.split(".").map((p) => parseInt(p, 10));
-  for (let i = 0; i < 3; i++) {
-    const d = (pa[i] ?? 0) - (pb[i] ?? 0);
-    if (d !== 0) return d;
-  }
-  return 0;
-}
-
-export async function outdatedCommand(): Promise<void> {
-  const lock = await readLock(process.cwd());
-  const entries = Object.entries(lock.skills);
-  if (entries.length === 0) {
-    log.info("No skills installed.");
-    return;
-  }
-
-  log.heading("Checking for updates...");
-  const outdated: Array<{ ref: string; current: string; latest: string }> = [];
-
-  for (const [ref, e] of entries) {
-    const [, owner, slug] = /^@([^/]+)\/([^@]+)/.exec(ref) ?? [];
-    if (!owner || !slug) continue;
-    try {
-      const info = await api<SkillInfo>(`/skills/${owner}/${slug}`);
-      if (cmpSemver(info.latest_version, e.version) > 0) {
-        outdated.push({ ref, current: e.version, latest: info.latest_version });
-      }
-    } catch (err) {
-      log.warn(`Could not check ${ref}: ${(err as Error).message}`);
-    }
-  }
-
-  log.blank();
-  if (outdated.length === 0) {
-    log.ok("All installed skills are up to date.");
-    return;
-  }
-
-  log.heading("Outdated skills");
-  for (const o of outdated) {
-    console.log(`  ${o.ref.padEnd(40)} ${o.current.padEnd(10)} -> ${o.latest.padEnd(10)}  floom update ${o.ref}`);
-  }
-  log.blank();
-  log.info(`${outdated.length} skill${outdated.length === 1 ? "" : "s"} can be updated.`);
-  process.exit(1); // useful in CI
-}

package/src/commands/publish.ts

@@ -1,111 +0,0 @@
-import { readFile } from "node:fs/promises";
-import { join } from "node:path";
-import {
-  readManifest,
-  parseSkillFrontmatter,
-  collectBundle,
-  packBundle,
-  FloomError,
-} from "@floom/shared";
-import { api, rawPut } from "../api-client.js";
-import { readAuth } from "../config.js";
-import { log } from "../lib/output.js";
-import { validateSkill } from "./validate.js";
-
-interface InitResponse {
-  version_id: string;
-  upload: { method: "PUT"; url: string; expires_at: string };
-}
-
-interface CompleteResponse {
-  ref: string;
-  status: "active";
-  install_command: string;
-}
-
-export interface PublishOptions {
-  library?: string;
-}
-
-export async function publishCommand(opts: PublishOptions = {}): Promise<void> {
-  const auth = await readAuth();
-  if (!auth) {
-    log.err("Not logged in. Run: floom login");
-    process.exit(1);
-  }
-
-  const dir = process.cwd();
-  log.heading("Validating skill...");
-  const report = await validateSkill(dir);
-  if (!report.ok) {
-    log.err("Validation failed. Run `floom validate` for details.");
-    process.exit(1);
-  }
-  log.ok("Validation passed.");
-
-  const m = await readManifest(dir);
-  if (!m.ok) {
-    log.err(m.error);
-    process.exit(1);
-  }
-  const manifest = m.manifest;
-  const skillMd = await readFile(join(dir, "SKILL.md"), "utf8");
-  const { meta } = parseSkillFrontmatter(skillMd);
-
-  const refRoot = opts.library ?? auth.handle;
-  log.heading(`Publishing ${refRoot}/${manifest.name}@${manifest.version}`);
-  log.step("Packing bundle...");
-  const bundle = await collectBundle(dir);
-  const packed = await packBundle(bundle);
-  log.kv("files", String(bundle.files.length));
-  log.kv("size", `${packed.bytes.length} bytes (${(packed.bytes.length / 1024).toFixed(1)} KB)`);
-  log.kv("sha256", packed.sha256);
-
-  log.step("Requesting upload URL...");
-  let initResp: InitResponse;
-  try {
-    initResp = await api<InitResponse>(`/skills/${refRoot}/${manifest.name}/versions`, {
-      method: "POST",
-      authRequired: true,
-      body: {
-        manifest,
-        skill_md: skillMd,
-        bundle: {
-          sha256: packed.sha256,
-          size_bytes: packed.bytes.length,
-        },
-        files: bundle.files.map((f: { relPath: string; sha256: string; size: number }) => ({
-          path: f.relPath,
-          sha256: f.sha256,
-          size_bytes: f.size,
-        })),
-        has_scripts: bundle.hasScripts,
-      },
-    });
-  } catch (e) {
-    if (e instanceof FloomError && e.code === "VERSION_ALREADY_EXISTS") {
-      log.err(`Version ${manifest.version} already exists for @${auth.handle}/${manifest.name}.`);
-      log.info("Bump the version in skill.json (e.g. 0.1.1) and try again.");
-      process.exit(1);
-    }
-    throw e;
-  }
-
-  log.step("Uploading bundle...");
-  await rawPut(initResp.upload.url, packed.bytes, "application/gzip");
-
-  log.step("Finalizing...");
-  const complete = await api<CompleteResponse>(`/versions/${initResp.version_id}/complete`, {
-    method: "POST",
-    authRequired: true,
-    body: { bundle_sha256: packed.sha256 },
-  });
-
-  log.blank();
-  log.ok(`Published ${complete.ref}`);
-  log.blank();
-  log.info("View:");
-  log.kv("", `${auth.apiUrl.replace("/api/v1", "")}/@${auth.handle}/${manifest.name}`);
-  log.info("Install:");
-  log.kv("", complete.install_command);
-}

package/src/commands/share.ts

@@ -1,41 +0,0 @@
-import { parseSkillRef } from "@floom/shared";
-import { api } from "../api-client.js";
-import { log } from "../lib/output.js";
-
-export interface ShareOptions {
-  role?: "viewer" | "editor";
-}
-
-interface GrantResponse {
-  grant: { id: string; email: string; role: string; created_at: string };
-}
-
-export async function shareCommand(refStr: string, email: string, opts: ShareOptions = {}): Promise<void> {
-  const ref = parseSkillRef(refStr);
-  if (!ref) { log.err(`Invalid skill ref: ${refStr}`); process.exit(1); }
-  const role = opts.role ?? "viewer";
-  const r = await api<GrantResponse>(`/skills/${ref.owner}/${ref.slug}/grants`, {
-    method: "POST",
-    authRequired: true,
-    body: { email, role },
-  });
-  log.ok(`Shared ${refStr} with ${r.grant.email} as ${r.grant.role}.`);
-  log.info("No email is sent in V0. They will see the skill under 'Shared with Me' on next login.");
-}
-
-interface GrantListResponse {
-  grants: Array<{ id: string; email?: string; user_handle?: string; role: string }>;
-}
-
-export async function unshareCommand(refStr: string, email: string): Promise<void> {
-  const ref = parseSkillRef(refStr);
-  if (!ref) { log.err(`Invalid skill ref: ${refStr}`); process.exit(1); }
-  const list = await api<GrantListResponse>(`/skills/${ref.owner}/${ref.slug}/grants`, { authRequired: true });
-  const grant = list.grants.find((g) => (g.email ?? "").toLowerCase() === email.toLowerCase());
-  if (!grant) {
-    log.err(`No active grant for ${email} on ${refStr}.`);
-    process.exit(1);
-  }
-  await api(`/skills/${ref.owner}/${ref.slug}/grants/${grant.id}`, { method: "DELETE", authRequired: true });
-  log.ok(`Removed ${email}'s access to ${refStr}.`);
-}

package/src/commands/update.ts

@@ -1,116 +0,0 @@
-import { rm, rename, mkdir } from "node:fs/promises";
-import { tmpdir } from "node:os";
-import { join, resolve } from "node:path";
-import { extractBundle, verifyBundleHash, FloomError } from "@floom/shared";
-import { api, rawGet } from "../api-client.js";
-import { readLock, writeLock, setLockEntry, hashInstalledFolder } from "../lib/floom-lock.js";
-import { log } from "../lib/output.js";
-
-interface SkillInfo {
-  ref: string;
-  latest_version: string;
-}
-
-interface DownloadResponse {
-  ref: string;
-  version: string;
-  download: { url: string; expires_at: string };
-  bundle_sha256: string;
-}
-
-function cmpSemver(a: string, b: string): number {
-  const pa = a.split(".").map((p) => parseInt(p, 10));
-  const pb = b.split(".").map((p) => parseInt(p, 10));
-  for (let i = 0; i < 3; i++) {
-    const d = (pa[i] ?? 0) - (pb[i] ?? 0);
-    if (d !== 0) return d;
-  }
-  return 0;
-}
-
-export interface UpdateOptions {
-  force?: boolean;
-}
-
-export async function updateCommand(refStr?: string, opts: UpdateOptions = {}): Promise<void> {
-  const projectDir = process.cwd();
-  const lock = await readLock(projectDir);
-  const all = Object.entries(lock.skills);
-  if (all.length === 0) {
-    log.info("No installed skills.");
-    return;
-  }
-
-  const targets = refStr ? all.filter(([r]) => r === refStr) : all;
-  if (refStr && targets.length === 0) {
-    log.err(`Not installed: ${refStr}`);
-    process.exit(1);
-  }
-
-  let updated = 0, skipped = 0;
-  for (const [ref, entry] of targets) {
-    const [, owner, slug] = /^@([^/]+)\/([^@]+)/.exec(ref) ?? [];
-    if (!owner || !slug) continue;
-
-    let info: SkillInfo;
-    try { info = await api<SkillInfo>(`/skills/${owner}/${slug}`); }
-    catch (e) {
-      log.warn(`Skip ${ref}: ${(e as Error).message}`);
-      skipped++;
-      continue;
-    }
-
-    if (cmpSemver(info.latest_version, entry.version) <= 0) {
-      log.step(`${ref} is already at latest (${entry.version}).`);
-      continue;
-    }
-
-    const installDir = resolve(projectDir, entry.path);
-
-    // Detect local edits via floom-lock recorded bundle_sha256 — simplistic: we
-    // re-compute on-disk content and compare collective hash to recorded bundle.
-    // V0 hardening: full per-file lock would be richer; we use a simple gate.
-    if (!opts.force) {
-      const current = await hashInstalledFolder(installDir);
-      // The recorded bundle_sha256 is the tarball hash, not folder hash, so we
-      // can't compare directly. For now: if force isn't set and folder exists,
-      // we proceed with confirmation in a real terminal. In V0 we just warn.
-      // (Full editorial detection lands when files-table-per-version syncs.)
-      log.step(`Updating ${ref}: ${entry.version} -> ${info.latest_version}`);
-    }
-
-    const dl = await api<DownloadResponse>(`/skills/${owner}/${slug}/download`);
-    const buf = await rawGet(dl.download.url);
-    if (!verifyBundleHash(buf, dl.bundle_sha256)) {
-      log.err(`Bundle hash mismatch for ${ref} — skipping.`);
-      skipped++;
-      continue;
-    }
-
-    const tmp = await import("node:fs/promises").then((m) =>
-      m.mkdtemp(join(tmpdir(), `floom-update-${slug}-`)),
-    );
-    try {
-      await extractBundle(buf, tmp);
-      await rm(installDir, { recursive: true, force: true });
-      await mkdir(installDir.replace(/\/[^/]+$/, ""), { recursive: true });
-      await rename(tmp, installDir);
-    } catch (e) {
-      await rm(tmp, { recursive: true, force: true }).catch(() => {});
-      throw e;
-    }
-
-    const next = setLockEntry(lock, ref, {
-      ...entry,
-      version: dl.version,
-      bundle_sha256: dl.bundle_sha256,
-      installed_at: new Date().toISOString(),
-    });
-    await writeLock(projectDir, next);
-    log.ok(`Updated ${ref}: ${entry.version} -> ${dl.version}`);
-    updated++;
-  }
-
-  log.blank();
-  log.info(`${updated} updated, ${skipped} skipped.`);
-}

package/src/commands/validate.ts

@@ -1,132 +0,0 @@
-import { readFile, stat } from "node:fs/promises";
-import { join } from "node:path";
-import {
-  readManifest,
-  parseSkillFrontmatter,
-  validateSkillFrontmatter,
-  collectBundle,
-  scanSkillMarkdown,
-} from "@floom/shared";
-import { log } from "../lib/output.js";
-
-export interface ValidateOptions {
-  json?: boolean;
-}
-
-export interface ValidateReport {
-  ok: boolean;
-  manifest: { ok: boolean; message?: string };
-  skill_md: { ok: boolean; message?: string };
-  name_matches: { ok: boolean; message?: string };
-  bundle: { ok: boolean; message?: string; files?: number; size?: number; has_scripts?: boolean };
-  security: { ok: boolean; findings: ReturnType<typeof scanSkillMarkdown> };
-}
-
-export async function validateSkill(dir: string): Promise<ValidateReport> {
-  const report: ValidateReport = {
-    ok: true,
-    manifest: { ok: true },
-    skill_md: { ok: true },
-    name_matches: { ok: true },
-    bundle: { ok: true },
-    security: { ok: true, findings: [] },
-  };
-
-  // manifest
-  const m = await readManifest(dir);
-  if (!m.ok) {
-    report.manifest = { ok: false, message: m.error };
-    report.ok = false;
-    return report;
-  }
-
-  // SKILL.md presence + frontmatter
-  let skillMd: string;
-  try {
-    skillMd = await readFile(join(dir, "SKILL.md"), "utf8");
-  } catch {
-    report.skill_md = { ok: false, message: "SKILL.md not found" };
-    report.ok = false;
-    return report;
-  }
-  const { meta } = parseSkillFrontmatter(skillMd);
-  const fmErr = validateSkillFrontmatter(meta);
-  if (fmErr) {
-    report.skill_md = { ok: false, message: fmErr };
-    report.ok = false;
-  }
-
-  if (meta.name && meta.name !== m.manifest.name) {
-    report.name_matches = {
-      ok: false,
-      message: `skill.json name="${m.manifest.name}" but SKILL.md frontmatter name="${meta.name}"`,
-    };
-    report.ok = false;
-  }
-
-  // bundle (path traversal, symlinks, file/size limits)
-  try {
-    const bundle = await collectBundle(dir);
-    report.bundle = {
-      ok: true,
-      files: bundle.files.length,
-      size: bundle.totalUncompressedBytes,
-      has_scripts: bundle.hasScripts,
-    };
-  } catch (e) {
-    report.bundle = { ok: false, message: (e as Error).message };
-    report.ok = false;
-  }
-
-  // security: secrets + prompt injection in SKILL.md
-  const findings = scanSkillMarkdown(skillMd);
-  if (findings.length > 0) {
-    const secretFindings = findings.filter((f) => f.category === "secret");
-    report.security = { ok: secretFindings.length === 0, findings };
-    if (secretFindings.length > 0) report.ok = false;
-  }
-
-  return report;
-}
-
-export async function validateCommand(opts: ValidateOptions = {}): Promise<void> {
-  const dir = process.cwd();
-  const r = await validateSkill(dir);
-
-  if (opts.json) {
-    console.log(JSON.stringify(r, null, 2));
-    process.exit(r.ok ? 0 : 1);
-  }
-
-  log.heading("Validating skill...");
-  const line = (ok: boolean, label: string, detail?: string) =>
-    ok ? log.ok(`${label.padEnd(28)} ${detail ?? ""}`.trim())
-       : log.err(`${label.padEnd(28)} ${detail ?? ""}`.trim());
-
-  line(r.manifest.ok, "manifest schema", r.manifest.message);
-  line(r.skill_md.ok, "SKILL.md present", r.skill_md.message);
-  line(r.name_matches.ok, "name fields match", r.name_matches.message);
-  if (r.bundle.ok) {
-    line(true, "files + size limits", `${r.bundle.files} files, ${(r.bundle.size ?? 0) / 1024 | 0} KB`);
-  } else {
-    line(false, "files + size limits", r.bundle.message);
-  }
-  if (r.security.findings.length === 0) {
-    line(true, "secrets + prompt injection", "clean");
-  } else {
-    line(r.security.ok, "secrets + prompt injection", `${r.security.findings.length} finding(s)`);
-    for (const f of r.security.findings) {
-      log.warn(`  line ${f.line} [${f.category}] ${f.label}: ${f.preview}`);
-    }
-  }
-  if (r.bundle.has_scripts) {
-    log.warn("This skill contains scripts/. Agents may execute these — review before activating.");
-  }
-  log.blank();
-  if (r.ok) {
-    log.ok("Valid.");
-  } else {
-    log.err("Invalid.");
-    process.exit(1);
-  }
-}

package/src/commands/whoami.ts

@@ -1,14 +0,0 @@
-import { readAuth } from "../config.js";
-import { log } from "../lib/output.js";
-
-export async function whoamiCommand(): Promise<void> {
-  const auth = await readAuth();
-  if (!auth) {
-    log.info("Not logged in. Run: floom login");
-    return;
-  }
-  log.heading("Logged in as:");
-  log.kv("handle", `@${auth.handle}`);
-  log.kv("email", auth.email);
-  log.kv("api url", auth.apiUrl);
-}

package/src/config.ts

@@ -1,44 +0,0 @@
-import { homedir } from "node:os";
-import { join } from "node:path";
-import { mkdir, readFile, writeFile, chmod } from "node:fs/promises";
-
-const CONFIG_DIR = join(homedir(), ".floom");
-const AUTH_FILE = join(CONFIG_DIR, "auth.json");
-
-export interface AuthState {
-  token: string;        // flm_v1_<id>_<secret>
-  handle: string;
-  email: string;
-  apiUrl: string;
-}
-
-export const DEFAULT_API_URL = process.env.FLOOM_API_URL ?? "https://floom-v0.vercel.app/api/v1";
-
-async function ensureDir(): Promise<void> {
-  await mkdir(CONFIG_DIR, { recursive: true, mode: 0o700 });
-}
-
-export async function readAuth(): Promise<AuthState | null> {
-  try {
-    const raw = await readFile(AUTH_FILE, "utf8");
-    return JSON.parse(raw) as AuthState;
-  } catch (e) {
-    if ((e as NodeJS.ErrnoException).code === "ENOENT") return null;
-    throw e;
-  }
-}
-
-export async function writeAuth(state: AuthState): Promise<void> {
-  await ensureDir();
-  await writeFile(AUTH_FILE, JSON.stringify(state, null, 2), { mode: 0o600 });
-  try { await chmod(AUTH_FILE, 0o600); } catch { /* best effort on win */ }
-}
-
-export async function clearAuth(): Promise<void> {
-  const { unlink } = await import("node:fs/promises");
-  try { await unlink(AUTH_FILE); } catch { /* ignore */ }
-}
-
-export function getApiUrl(): string {
-  return process.env.FLOOM_API_URL ?? DEFAULT_API_URL;
-}