@floomhq/skills 0.2.9 → 0.2.11

package/dist/index.js

@@ -2014,6 +2014,19 @@ var scrypt = promisify(scryptCb);
 // ../shared/src/install-targets.ts
 import { homedir } from "node:os";
 import { join } from "node:path";
+var INSTALL_TARGETS = [
+  "generic",
+  "all",
+  "claude",
+  "codex",
+  "cursor",
+  "gemini",
+  "opencode",
+  "kimi"
+];
+function isInstallTarget(value) {
+  return !!value && INSTALL_TARGETS.includes(value);
+}
 var COMPATIBLE_AGENTS = {
   generic: ["Claude Code", "Codex CLI", "Cursor", "Gemini CLI", "OpenCode", "Kimi CLI"],
   all: ["Claude Code", "Codex CLI", "Cursor", "Gemini CLI", "OpenCode", "Kimi CLI"],
@@ -2061,24 +2074,24 @@ function presetDir(target, opts) {
   }
 }
 function resolveInstallDir(args) {
+  const target = args.target ?? "generic";
   if (args.to) {
     return {
-      target: args.target ?? "generic",
+      target,
       dir: args.to,
       origin: "explicit",
-      compatibleAgents: COMPATIBLE_AGENTS[args.target ?? "generic"]
+      compatibleAgents: COMPATIBLE_AGENTS[target]
     };
   }
-  const targetEnvDir = envDirForTarget(args.target ?? "generic");
+  const targetEnvDir = envDirForTarget(target);
   if (targetEnvDir) {
     return {
-      target: args.target ?? "generic",
+      target,
       dir: targetEnvDir,
       origin: "env",
-      compatibleAgents: COMPATIBLE_AGENTS[args.target ?? "generic"]
+      compatibleAgents: COMPATIBLE_AGENTS[target]
     };
   }
-  const target = args.target ?? "generic";
   return {
     target,
     dir: presetDir(target, { global: args.global, cwd: args.cwd }),
@@ -2381,7 +2394,8 @@ var CONFIG_DIR = join3(homedir2(), ".floom");
 var AUTH_FILE = join3(CONFIG_DIR, "auth.json");
 var DEFAULT_APP_URL = "https://skills.floom.dev";
 var DEFAULT_API_URL = "https://skills.floom.dev/api/v1";
-var LEGACY_API_HOSTS = /* @__PURE__ */ new Set(["floom-v0.vercel.app"]);
+var LEGACY_API_HOSTS = /* @__PURE__ */ new Set(["floom-v0.vercel.app", "skills.wasm.floom.dev"]);
+var TRUSTED_API_HOSTS = /* @__PURE__ */ new Set(["skills.floom.dev", "skills.wasm.floom.dev"]);
 async function ensureDir() {
   await mkdir2(CONFIG_DIR, { recursive: true, mode: 448 });
 }
@@ -2395,12 +2409,15 @@ async function readRawAuth() {
     return JSON.parse(raw);
   } catch (e) {
     if (e.code === "ENOENT") return null;
+    if (e instanceof SyntaxError) {
+      throw new FloomError("AUTH_REQUIRED", "Invalid ~/.floom/auth.json. Run: floom login to refresh local auth.");
+    }
     throw e;
   }
 }
 async function writeAuth(state) {
   await ensureDir();
-  await writeFile(AUTH_FILE, JSON.stringify({ ...state, apiUrl: normalizeApiUrl(state.apiUrl) }, null, 2), { mode: 384 });
+  await writeFile(AUTH_FILE, JSON.stringify({ ...state, apiUrl: trustedApiUrlOrDefault(state.apiUrl) }, null, 2), { mode: 384 });
   try {
     await chmod(AUTH_FILE, 384);
   } catch {
@@ -2423,14 +2440,16 @@ function getAppUrl() {
 }
 function getApiBaseUrls(preferred) {
   const explicitApiUrl = process.env.FLOOM_API_URL?.trim();
-  if (explicitApiUrl) return [normalizeApiUrl(explicitApiUrl)];
-  const primary = normalizeApiUrl(preferred ?? getApiUrl());
+  if (explicitApiUrl) return [trustedApiUrlOrDefault(explicitApiUrl)];
+  const primary = trustedApiUrlOrDefault(preferred ?? getApiUrl());
   const bases = [primary];
   if (preferred && !process.env.FLOOM_APP_URL) bases.push(DEFAULT_API_URL);
   return Array.from(new Set(bases));
 }
 function normalizeApiUrl(apiUrl) {
-  const trimmed = apiUrl.replace(/\/$/, "");
+  if (typeof apiUrl !== "string") return DEFAULT_API_URL;
+  const trimmed = apiUrl.trim().replace(/\/$/, "");
+  if (!trimmed) return DEFAULT_API_URL;
   try {
     const url = new URL(trimmed);
     if (LEGACY_API_HOSTS.has(url.hostname)) return DEFAULT_API_URL;
@@ -2439,6 +2458,22 @@ function normalizeApiUrl(apiUrl) {
   }
   return trimmed;
 }
+function allowsCustomApiUrl() {
+  const raw = process.env.FLOOM_ALLOW_CUSTOM_API_URL?.trim().toLowerCase();
+  return raw === "1" || raw === "true" || raw === "yes";
+}
+function isTrustedApiUrl(apiUrl) {
+  try {
+    const url = new URL(apiUrl);
+    return TRUSTED_API_HOSTS.has(url.hostname) || allowsCustomApiUrl();
+  } catch {
+    return false;
+  }
+}
+function trustedApiUrlOrDefault(apiUrl) {
+  const normalized = normalizeApiUrl(apiUrl);
+  return isTrustedApiUrl(normalized) ? normalized : DEFAULT_API_URL;
+}
 function isLegacyApiUrl(apiUrl) {
   if (!apiUrl) return false;
   try {
@@ -2449,7 +2484,7 @@ function isLegacyApiUrl(apiUrl) {
 }
 
 // src/version.ts
-var VERSION = "0.2.9";
+var VERSION = "0.2.11";
 
 // src/api-client.ts
 var DEFAULT_TIMEOUT_MS = 2e4;
@@ -2491,7 +2526,8 @@ async function api(path, opts = {}) {
       "User-Agent": `floom-cli/${VERSION}`,
       "x-floom-cli-version": VERSION
     };
-    if (token) headers.Authorization = `Bearer ${token}`;
+    const requestToken = opts.tokenOverride ?? token;
+    if (requestToken) headers.Authorization = `Bearer ${requestToken}`;
     let res;
     try {
       res = await fetchWithTimeout(url.toString(), {
@@ -2579,7 +2615,7 @@ async function loginCommand() {
   log.info(`Open this URL in your browser:`);
   log.info(`  ${session.verification_uri}`);
   log.info("");
-  log.info(`Your code: ${session.user_code}`);
+  log.info(`Confirm this code in the browser: ${session.user_code}`);
   log.info("");
   log.info("Waiting for approval in the browser. Press Ctrl+C to cancel.");
   openInBrowser(session.verification_uri).catch(() => {
@@ -2588,8 +2624,9 @@ async function loginCommand() {
   const interval = Math.max(2, session.poll_interval_seconds) * 1e3;
   while (Date.now() < deadline) {
     await new Promise((r) => setTimeout(r, interval));
-    const pollPath = `/cli/sessions/${session.session_id}?device_code=${encodeURIComponent(session.device_code)}`;
-    const poll = await api(pollPath);
+    const poll = await api(`/cli/sessions/${session.session_id}`, {
+      tokenOverride: session.device_code
+    });
     if (poll.status === "approved" && poll.token && poll.handle && poll.email) {
       await writeAuth({
         token: poll.token,
@@ -2647,7 +2684,13 @@ async function whoamiCommand() {
   try {
     me = await api("/me", { authRequired: true });
   } catch (e) {
-    log.err(`Login is not accepted by the Floom API: ${e.message}`);
+    if (e instanceof FloomError && e.code === "TOKEN_EXPIRED") {
+      log.err("Login expired.");
+    } else if (e instanceof FloomError && e.code === "TOKEN_INVALID") {
+      log.err("Login revoked or unknown.");
+    } else {
+      log.err(`Login is not accepted by the Floom API: ${e.message}`);
+    }
     log.info("Run: floom login");
     process.exitCode = 1;
     return;
@@ -2958,7 +3001,8 @@ async function publishCommand(opts = {}) {
   log.ok(`Published ${complete.ref}`);
   log.blank();
   log.info("View:");
-  log.kv("", `${(auth?.apiUrl ?? process.env.FLOOM_API_URL ?? "https://skills.floom.dev/api/v1").replace("/api/v1", "")}/@${handle}/${manifest.name}`);
+  const displayApiUrl = trustedApiUrlOrDefault(process.env.FLOOM_API_URL ?? auth?.apiUrl ?? DEFAULT_API_URL);
+  log.kv("", `${displayApiUrl.replace("/api/v1", "")}/@${handle}/${manifest.name}`);
   log.info("Install:");
   log.kv("", complete.install_command);
 }
@@ -3069,6 +3113,12 @@ async function installCommand(refStr, opts = {}) {
     log.info("Expected: @owner/slug, workspace-slug/slug, or with @version suffix");
     process.exit(1);
   }
+  if (opts.for && !isInstallTarget(opts.for)) {
+    log.err(`Invalid install target: ${opts.for}`);
+    log.info("Expected: claude | codex | cursor | gemini | opencode | kimi | all");
+    process.exit(1);
+  }
+  const installTarget = isInstallTarget(opts.for) ? opts.for : "generic";
   let info;
   try {
     info = await api(`/skills/${ref.owner}/${ref.slug}`);
@@ -3093,7 +3143,7 @@ async function installCommand(refStr, opts = {}) {
     process.exit(1);
   }
   const target = resolveInstallDir({
-    target: opts.for ?? "generic",
+    target: installTarget,
     to: opts.to,
     global: opts.global
   });
@@ -3154,7 +3204,7 @@ async function installCommand(refStr, opts = {}) {
     bundle_sha256: dl.bundle_sha256,
     installed_at: (/* @__PURE__ */ new Date()).toISOString(),
     path: destFolder.replace(projectDir + "/", ""),
-    preset: opts.for
+    preset: installTarget
   });
   await writeLock(projectDir, next);
   log.blank();
@@ -3370,12 +3420,19 @@ async function infoCommand(refStr) {
 }
 
 // src/commands/share.ts
+function isValidEmail(email) {
+  return /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(email);
+}
 async function shareCommand(refStr, email, opts = {}) {
   const ref = parseSkillRef(refStr);
   if (!ref) {
     log.err(`Invalid skill ref: ${refStr}`);
     process.exit(1);
   }
+  if (!isValidEmail(email)) {
+    log.err(`Invalid email: ${email}`);
+    process.exit(1);
+  }
   const role = opts.role ?? "viewer";
   const r = await api(`/skills/${ref.owner}/${ref.slug}/grants`, {
     method: "POST",
@@ -3391,6 +3448,10 @@ async function unshareCommand(refStr, email) {
     log.err(`Invalid skill ref: ${refStr}`);
     process.exit(1);
   }
+  if (!isValidEmail(email)) {
+    log.err(`Invalid email: ${email}`);
+    process.exit(1);
+  }
   const list = await api(`/skills/${ref.owner}/${ref.slug}/grants`, { authRequired: true });
   const grant = list.grants.find((g) => (g.email ?? "").toLowerCase() === email.toLowerCase());
   if (!grant) {
@@ -3402,6 +3463,9 @@ async function unshareCommand(refStr, email) {
 }
 
 // src/commands/library.ts
+function isValidEmail2(email) {
+  return /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(email);
+}
 async function libraryListCommand() {
   const resp = await api("/libraries", { authRequired: true });
   if (!resp.libraries.length) {
@@ -3417,6 +3481,10 @@ async function libraryCreateCommand(slug, name) {
   log.ok(`Created workspace ${resp.slug}`);
 }
 async function libraryInviteCommand(librarySlug, email, role = "viewer") {
+  if (!isValidEmail2(email)) {
+    log.err(`Invalid email: ${email}`);
+    process.exit(1);
+  }
   await api(`/libraries/${librarySlug}/pending-invites`, {
     method: "POST",
     authRequired: true,
@@ -3935,6 +4003,15 @@ import { z as z3 } from "zod";
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
 var API_TIMEOUT_MS = 2e4;
+function semverGte2(a, b) {
+  const pa = a.split(".").map(Number);
+  const pb = b.split(".").map(Number);
+  for (let i = 0; i < 3; i++) {
+    if ((pa[i] ?? 0) > (pb[i] ?? 0)) return true;
+    if ((pa[i] ?? 0) < (pb[i] ?? 0)) return false;
+  }
+  return true;
+}
 async function fetchWithTimeout2(url, init = {}) {
   const controller = new AbortController();
   const timer = setTimeout(() => controller.abort(), API_TIMEOUT_MS);
@@ -3992,10 +4069,14 @@ async function apiRequest(token, path, query) {
   }
   throw lastError ?? new Error("API request failed");
 }
-async function installViaApi(token, refText, target) {
+async function installViaApi(token, refText, target, options = {}) {
   const parsed = parseSkillRef(refText);
   if (!parsed) throw new Error(`Invalid ref: ${refText}`);
+  if (!isInstallTarget(target)) throw new Error(`Invalid install target: ${target}`);
   const info = await apiRequest(token, `/skills/${parsed.owner}/${parsed.slug}`);
+  if (info.min_floom_version && !semverGte2(VERSION, info.min_floom_version)) {
+    throw new Error(`This skill requires Floom CLI >= ${info.min_floom_version} (you have ${VERSION}).`);
+  }
   const dl = await apiRequest(token, `/skills/${parsed.owner}/${parsed.slug}/download`, parsed.version ? { version: parsed.version } : void 0);
   const bundle = await rawGet(dl.download.url);
   if (!verifyBundleHash(bundle, dl.bundle_sha256)) throw new Error("Bundle hash mismatch");
@@ -4003,6 +4084,9 @@ async function installViaApi(token, refText, target) {
   await mkdir9(install.dir, { recursive: true });
   const dest = join13(install.dir, parsed.slug);
   const exists = await readdir4(dest).then(() => true).catch(() => false);
+  if (exists && !options.force) {
+    throw new Error(`Folder already exists at ${dest}. Call install_skill with force=true to overwrite after reviewing local changes.`);
+  }
   if (exists) await rm3(dest, { recursive: true, force: true });
   const temp = await mkdtemp(join13(tmpdir3(), `floom-mcp-${parsed.slug}-`));
   try {
@@ -4024,7 +4108,7 @@ async function installViaApi(token, refText, target) {
     preset: target
   });
   await writeLock(process.cwd(), next);
-  return { path: dest, version: dl.version, ref: info.ref ?? ref };
+  return { path: dest, version: dl.version, ref: info.ref ?? ref, has_scripts: !!dl.has_scripts };
 }
 async function parseSkillBundle(bundle) {
   const tmp = await mkdtemp(join13(tmpdir3(), "floom-mcp-read-"));
@@ -4123,9 +4207,13 @@ async function mcpCommand() {
     const result = await apiRequest(token, `/libraries/${workspaceSlug}/pins`, { target });
     return { content: [{ type: "text", text: JSON.stringify(result) }] };
   });
-  server.tool("install_skill", { ref: z3.string().min(3), target: z3.enum(["claude", "codex", "cursor", "kimi", "opencode", "gemini"]) }, async ({ ref, target }) => {
+  server.tool("install_skill", {
+    ref: z3.string().min(3),
+    target: z3.enum(["claude", "codex", "cursor", "kimi", "opencode", "gemini"]),
+    force: z3.boolean().optional().default(false)
+  }, async ({ ref, target, force }) => {
     const token = await resolveOptionalToken();
-    const installed = await installViaApi(token, ref, target);
+    const installed = await installViaApi(token, ref, target, { force });
     return { content: [{ type: "text", text: JSON.stringify(installed) }] };
   });
   const transport = new StdioServerTransport();
@@ -4166,6 +4254,15 @@ function warn(name, detail) {
 function fail(name, detail) {
   return { name, ok: false, detail };
 }
+function apiUrlCheck(rawApiUrl, label = "api_url") {
+  const normalized = normalizeApiUrl(rawApiUrl);
+  const trusted = trustedApiUrlOrDefault(rawApiUrl);
+  if (isLegacyApiUrl(rawApiUrl)) return warn(label, `legacy URL ${rawApiUrl}; using ${DEFAULT_API_URL}`);
+  if (normalized !== trusted) {
+    return warn(label, `ignored untrusted API URL ${normalized}; set FLOOM_ALLOW_CUSTOM_API_URL=1 only for a trusted self-hosted Floom API`);
+  }
+  return pass(label, trusted);
+}
 async function validateCurrentToken(token) {
   if (!token) return warn("fresh_agent_auth", "missing token; authenticated MCP calls skipped");
   try {
@@ -4195,7 +4292,7 @@ async function doctorCommand(opts = {}) {
     const checks2 = [
       pass("cli_version", VERSION),
       authCheck2,
-      process.env.FLOOM_API_URL ? isLegacyApiUrl(process.env.FLOOM_API_URL) ? warn("api_url", `legacy FLOOM_API_URL ${process.env.FLOOM_API_URL}; using ${DEFAULT_API_URL}`) : pass("api_url", process.env.FLOOM_API_URL) : isLegacyApiUrl(rawAuth?.apiUrl) ? warn("auth_api_url", `legacy URL in ~/.floom/auth.json; using ${DEFAULT_API_URL}`) : pass("api_url", auth2?.apiUrl ?? DEFAULT_API_URL)
+      process.env.FLOOM_API_URL ? apiUrlCheck(process.env.FLOOM_API_URL) : isLegacyApiUrl(rawAuth?.apiUrl) ? warn("auth_api_url", `legacy URL in ~/.floom/auth.json; using ${DEFAULT_API_URL}`) : apiUrlCheck(auth2?.apiUrl ?? DEFAULT_API_URL)
     ];
     emitDoctor(checks2, opts.json);
     if (checks2.some((check) => !check.ok)) process.exit(1);
@@ -4225,7 +4322,7 @@ async function doctorCommand(opts = {}) {
       HOME: tmpHome,
       FLOOM_SKILLS_DIR: tmpSkills,
       ...hasValidToken && token ? { FLOOM_API_TOKEN: token } : {},
-      ...process.env.FLOOM_API_URL ? { FLOOM_API_URL: normalizeApiUrl(process.env.FLOOM_API_URL) } : auth?.apiUrl ? { FLOOM_API_URL: auth.apiUrl } : {}
+      ...process.env.FLOOM_API_URL ? { FLOOM_API_URL: trustedApiUrlOrDefault(process.env.FLOOM_API_URL) } : auth?.apiUrl ? { FLOOM_API_URL: trustedApiUrlOrDefault(auth.apiUrl) } : {}
     },
     stderr: "pipe"
   });
@@ -4251,12 +4348,15 @@ async function doctorCommand(opts = {}) {
     } else {
       checks.push(warn("mcp_authenticated_tools", "skipped list_workspaces/search_skills because no valid token is available"));
     }
-    const ref = opts.ref ?? "floom-demo/brand-voice";
-    const skill = await client.callTool({ name: "get_skill", arguments: { ref } });
-    checks.push(/SKILL\.md/.test(textOf(skill)) ? pass("mcp_get_skill", ref) : fail("mcp_get_skill", "bundle did not include SKILL.md"));
-    const installed = await client.callTool({ name: "install_skill", arguments: { ref, target: opts.target ?? "codex" } });
-    const entries = await readdir5(tmpSkills);
-    checks.push(entries.length > 0 ? pass("mcp_install_skill", textOf(installed)) : fail("mcp_install_skill", "target directory is empty"));
+    if (opts.ref) {
+      const skill = await client.callTool({ name: "get_skill", arguments: { ref: opts.ref } });
+      checks.push(/SKILL\.md/.test(textOf(skill)) ? pass("mcp_get_skill", opts.ref) : fail("mcp_get_skill", "bundle did not include SKILL.md"));
+      const installed = await client.callTool({ name: "install_skill", arguments: { ref: opts.ref, target: opts.target ?? "codex" } });
+      const entries = await readdir5(tmpSkills);
+      checks.push(entries.length > 0 ? pass("mcp_install_skill", textOf(installed)) : fail("mcp_install_skill", "target directory is empty"));
+    } else {
+      checks.push(warn("mcp_public_skill", "skipped; pass --ref <public-skill-ref> to verify get_skill/install_skill against a known public skill"));
+    }
   } catch (e) {
     checks.push(fail("fresh_agent_mcp", e.message));
   } finally {