floom-legacy
Health Warn
- License — License: MIT
- Description — Repository has a description
- Active repo — Last push 0 days ago
- Low visibility — Only 7 GitHub stars
Code Fail
- eval() — Dynamic code execution via eval() in .github/workflows/ax-eval-nightly.yml
- process.env — Environment variable access in .github/workflows/visual-verify.yml
- fs module — File system access in .github/workflows/visual-verify.yml
Permissions Pass
- Permissions — No dangerous permissions requested
This project provides a protocol and runtime designed to help developers quickly build, deploy, and ship agentic AI applications. It acts as an MCP server that generates HTTP endpoints and web forms directly from OpenAPI specifications.
Security Assessment
The tool has a low-risk permission profile with no hardcoded secrets and no dangerous permission requests. However, the codebase includes several execution and access warnings that require attention. Dynamic code execution via `eval()` was detected in a GitHub Actions workflow, which poses a potential code injection risk. Additionally, other workflows access environment variables and the file system. While these accesses are likely standard for automated testing pipelines, developers should exercise caution if modifying or running these workflows locally. Overall risk: Medium.
Quality Assessment
The project is actively maintained, with recent updates pushed as recently as today. It benefits from a clear MIT license and a well-documented README. However, community trust and visibility are currently very low, with only 7 GitHub stars. This indicates that the tool is in its early stages and has not yet undergone widespread peer review or community testing.
Verdict
Use with caution; the active development and standard license are promising, but the low community adoption and presence of `eval()` in workflows warrant a thorough review of your specific use case.
The protocol + runtime for agentic work. Open source.
Floom
Ship AI apps fast.
The protocol and runtime for agentic work.
Run published AI apps today. Cloud publishing, MCP creator tooling, and agent-token workflows are in beta access while the public site is in waitlist mode.
Try it · Self-host · Waitlist · Protocol · Roadmap · Discord
OpenAPI spec ──▶ Floom ──▶ 3 surfaces
├─ MCP server (/mcp/app/:slug)
├─ HTTP endpoint (/api/:slug/run)
└─ Web form (/p/:slug)
Public beta + waitlist. Floom Cloud is open for running published apps, while Cloud publishing, hosted repo deploys, MCP creator tooling, and agent-token account workflows are gated during beta access. Self-host works today with one Docker command. Three AI apps are live now for anyone to try: competitor-lens, ai-readiness-audit, pitch-coach. Join the waitlist for Cloud publishing.
Install the CLI with
curl -fsSL https://floom.dev/install.sh | bash. Do NOT runnpm install floom- the unscopedfloomnpm package is an unrelated third-party streaming tool. Details: cli/floom/README.md.
Point a self-hosted Floom instance at an OpenAPI spec and you get all three, from the same manifest, with auth, rate limits, secret injection, run history, and shareable output pages. The hosted Cloud publish path is waitlist-gated during the beta.
GitHub repo paste currently discovers OpenAPI specs inside a repo and publishes the resulting proxied app for beta users with publish access. Full "Floom hosts my repo code" publishing is tracked separately in packages/runtime as future platform work.
Quickstart
Cloud publish beta
Public Cloud is in waitlist mode. The CLI publish flow below is available to beta users with Cloud publishing and Agent-token access enabled.
curl -fsSL https://floom.dev/install.sh | bash
floom login
floom auth login --token=floom_agent_...
floom init
Edit floom.yaml so it points at a public OpenAPI spec:
name: Petstore
slug: petstore-demo
description: OpenAPI 3.0 reference pet store.
openapi_spec_url: https://petstore3.swagger.io/api/v3/openapi.json
visibility: private
Then validate, publish, and run it after your account has beta publishing access:
floom deploy --dry-run
floom deploy
floom run petstore-demo '{"action":"getInventory"}'
For beta publishers, the deploy output prints the web page at https://floom.dev/p/petstore-demo, the MCP endpoint, and the Studio owner URL. Without beta publishing access, use the live apps or self-host locally.
Self-host in one container
git clone https://github.com/floomhq/floom.git
cd floom/docker
cp apps.yaml.example apps.yaml
docker compose up -d --build
Or try the live apps at floom.dev/apps — no install. Full self-host walkthrough: docs/SELF_HOST.md.
What it is
Floom is a runtime and a protocol for agentic apps. In the beta publish path, you describe an app with an OpenAPI spec; Floom gives you an MCP server an agent can call, a plain HTTP endpoint, and a web form on a shareable URL — all at the same time, all backed by the same auth and rate-limit layer.
The whole stack self-hosts in one Docker container. Source is MIT.
The three surfaces
MCP — any client that speaks Model Context Protocol (Claude Desktop, Claude Code, Cursor, Codex CLI) can call your app as a tool.
{
"mcpServers": {
"resend": { "url": "http://localhost:3051/mcp/app/resend" }
}
}
HTTP — straight JSON-in, JSON-out. Use it from curl, a backend, a cron job.
curl -X POST http://localhost:3051/api/resend/send-email \
-H "Authorization: Bearer $FLOOM_API_KEY" \
-H "content-type: application/json" \
-d '{"from":"[email protected]","to":"[email protected]","subject":"hi","text":"first"}'
Web form — a clean page at /p/:slug your teammates can fill in, with typed inputs, a shareable result URL, and a run history.
https://floom.dev/p/competitor-lens
Who it's for
- Makers shipping side projects. In self-host or Cloud beta publishing, paste an OpenAPI URL, publish a shareable page, hand your friends an MCP tool.
- Teams running internal tools. Wrap a Stripe-style API in a form your ops team can fill in, with runs logged and outputs rendered cleanly.
Two equal ICPs. Two CTAs on the homepage. Two dashboards (/me for runners, /creator for publishers).
Showcase apps
Three apps shipped with Floom to show what it can do:
| App | What it does | Live |
|---|---|---|
| competitor-lens | Compares your landing page against a competitor and returns positioning, pricing, and angle differences. | floom.dev/p/competitor-lens |
| ai-readiness-audit | Audits one site for AI readiness, risks, opportunities, and a concrete next action. | floom.dev/p/ai-readiness-audit |
| pitch-coach | Reviews a short startup pitch and returns critiques, rewrites, and a TL;DR. | floom.dev/p/pitch-coach |
Each one is a real OpenAPI-defined app under examples/ — fork, rename, tweak the prompt.
Self-host
# apps.yaml — one app, wrapped in 10 lines
apps:
- slug: resend
type: proxied
openapi_spec_url: https://raw.githubusercontent.com/resend/resend-openapi/main/resend.yaml
base_url: https://api.resend.com
auth: bearer
secrets: [RESEND_API_KEY]
display_name: Resend
description: "Transactional email API."
cd docker
cp apps.yaml.example apps.yaml
docker compose up -d --build
Open http://localhost:3051/p/resend, or point your agent at http://localhost:3051/mcp/app/resend.
Two manifest shapes ship out of the box:
# Proxied — wrap an existing API
type: proxied
openapi_spec_url: https://api.example.com/openapi.json
base_url: https://api.example.com
auth: bearer
secrets: [EXAMPLE_API_KEY]
# Hosted — Floom runs your container
type: hosted
runtime: python3.12
openapi_spec: ./openapi.yaml
build: pip install .
run: uvicorn my_app.server:app --port 8000
A single request header can only carry one auth token, so pick one per deployment: FLOOM_AUTH_TOKEN (operator-wide kill switch) or FLOOM_CLOUD_MODE=true (real user sign-in + Agent tokens). Full breakdown: docker/.env.example.
Full self-host guide: docs/SELF_HOST.md · Protocol spec: spec/protocol.md · More examples: examples/.
Repo layout
apps/web— floom.dev web surface (React, form + output renderer)apps/server— backend (Hono + SQLite + Docker runner + MCP)packages/renderer—@floom/renderer, default + custom output/input renderer libraryspec/protocol.md— Floom Protocol specexamples/— example manifests, including the three current showcase apps above
Development
pnpm install
pnpm dev
Web on :5173, server on :3051, hot reload on both.
Contributing
Short version: pick an issue labelled good first issue or drop a new example app under examples/. Full guide, including how to add a showcase app: CONTRIBUTING.md.
Community & support
- Discord — discord.gg/8fXGXjxcRz for help, ideas, and patch-of-the-day.
- Docs — floom.dev/docs
- Issues — github.com/floomhq/floom/issues for bugs, feature requests, docs gaps.
- Security — read SECURITY.md, email
[email protected].
License
Floom is released under the MIT license. Use it at work, use it at home, fork it, sell products built on top of it. If you ship something cool, we'd love to see it in the Discord.
Built in SF by @federicodeponte.
Reviews (0)
Sign in to leave a review.
Leave a reviewNo results found