Skip to content

Releases: BlockRunAI/blockrun-mcp

v0.30.2 — neg-risk trading fix (pUSD→NegRisk Adapter approval)

Choose a tag to compare

@VickyXAI VickyXAI released this 11 Jul 05:24

Fixes real-money trading on neg-risk (multi-outcome "winner") markets.

  • fix(polymarket) — grant the missing pUSD → NegRisk Adapter approval. setup approved pUSD spend for only the two exchanges while giving the adapter a CTF operator approval but not the pUSD one — so a funded, exchange-approved vault had its neg-risk orders accepted by the CLOB then reverted in settlement. The pUSD spender set now matches Polymarket's canonical approveTokensForTrading (both exchanges + NegRisk Adapter + Conditional Tokens). Existing deposit wallets self-correct: re-run action:"setup" confirm:true once to sign the new approval.
  • fix(polymarket) — buy/sell now self-heal a stale CLOB balance cache: on a not enough balance/allowance rejection, refresh updateBalanceAllowance and retry the submit once; setup no longer silently swallows a failed cache warm-up.
  • docs — document the full canonical approval set + neg-risk troubleshooting (README, setup guide, skill).

152 tests, typecheck, build, and stdio MCP smoke (19 tools) green.

v0.26.0 — media tools report USDC cost

Choose a tag to compare

@VickyXAI VickyXAI released this 05 Jul 06:01

blockrun_image, blockrun_video, and blockrun_music now surface the USDC cost in their result: a Cost: $X.XXXX line in the text output and a cost_usd field in structuredContent, matching blockrun_speech / blockrun_realface. Video and music report the real 402-settled amount (token-priced upstream, so 1080p/4K clips and long tracks can exceed the per-unit estimate); image uses the catalog estimate on Base and the 402 amount on Solana, each falling back to the estimate only if the quote doesn't parse. No new spend path and no change to what is charged — the figure shown is the same amount already booked to the budget ledger. Adds handler-level tests (HTTP + x402 mocked, no network/no spend). Typecheck clean, 109 tests pass, build + 18-tool stdio smoke green.

v0.25.3 — audit pass: budget-gate + pricing hardening, SSRF FQDN fix

Choose a tag to compare

@VickyXAI VickyXAI released this 03 Jul 16:09

A multi-agent audit pass (finder fan-out across the payment path + freshly-merged Solana image code, each finding adversarially verified) surfaced six real issues — all fixed. Two are budget-gate bypasses on the most-used tools; one is an SSRF deny-list gap.

  • fix(chat) — reserve the frontier worst-case for balanced/coding/default modes (the default chat path was reserving 6–20× too little, defeating the cap under concurrency).
  • security(ssrf) — strip trailing dots so an FQDN (metadata.google.internal., localhost.) can't bypass the blockrun_image fetch deny-list.
  • fix(phone,surf) — price on a normalized path so a query string / trailing slash can't downgrade an expensive route (e.g. the $5 phone/numbers/buy) to the $0.001 default while the gateway charges full.
  • fix(image) — re-reserve the Solana quote against the budget before signing, so a marked-up settlement can't blow the cap (mirrors blockrun_video).
  • fix(music) — keep the EIP-3009 authorization valid through the whole submit+poll window (was expiring at 300s, failing settlement for slow tracks).
  • fix(speech,music) — book settled spend before parsing the response body, so a truncated body can't un-record a real on-chain charge.

103 tests (13 new) + typecheck + build + 18-tool stdio smoke green. No breaking changes.

v0.25.2 — patch the ws DoS dependency chain

Choose a tag to compare

@VickyXAI VickyXAI released this 29 Jun 07:23

Dependency security: a pinned viem transitive ws@8.20.1 (below the ≥8.21.0 patch) was flagging the whole ws → viem → @x402/evm → @blockrun/clawrouter → @blockrun/llm chain (5 high). An overrides entry forces viem's ws to 8.21.0 — clearing all of them (npm audit 15 → 11). The override ships in package.json, so every npx install gets the patched ws.

Remaining advisories are out of this repo's control: the Solana web3.js-v1 tree (no upstream fix for bigint-buffer; npm's only "fix" is a breaking downgrade), the intentional rpc-websockets@9.3.0 pin (bumping re-introduces the Node <20.19 ESM break), and a dev-only esbuild.

Also fixed at the source in @blockrun/llm@3.5.1 (pnpm overrides for ws+form-data, dev-tool bump — 0 critical, runtime highs cleared). No source changes; 84 tests + build + live wallet smoke green.

v0.25.1 — validate 0.25.0 env knobs

Choose a tag to compare

@VickyXAI VickyXAI released this 29 Jun 07:01

Hardening for the v0.25.0 opt-in image features (delta-audited, adversarially verified). Both findings low/quality, same root cause: bare Number(env || default) doesn't catch a malformed value.

  • fix(image) — a typo'd numeric env became NaN and silently changed behavior: BLOCKRUN_CONFIRM_THRESHOLD="$0.05" flipped the confirm gate to ask-on-every-call, and (fail-open) a malformed BLOCKRUN_INLINE_MAX_BYTES removed the inline base64 context cap (data.length > NaN is always false). confirm-spend now reuses the validated parseBudgetLimitEnv; inline-image uses a validating envInt (falls back on non-finite/non-positive, clamps quality 1–100). No change for valid configs.

84 unit tests. Full details in CHANGELOG.md.

v0.25.0 — image inline preview + opt-in spend confirmation

Choose a tag to compare

@VickyXAI VickyXAI released this 29 Jun 05:51

Lands #21 (thanks @KillerQueen-Z!) — re-integrated on top of the 0.24.x charge path. Two opt-in blockrun_image UX layers, both default to prior behavior:

  • Inline previewinline param (or BLOCKRUN_INLINE_IMAGES=1) returns a downscaled JPEG thumbnail as a type:"image" block alongside the full-res URL, so rich clients render it in-conversation. Best-effort with source download/decode caps; tunable via BLOCKRUN_INLINE_MAX_DIM/_QUALITY/_MAX_BYTES.
  • Spend confirmation — MCP elicitation before charging, with an "approve all this session" checkbox. Off by default (BLOCKRUN_CONFIRM_SPEND=on); fails open (only an explicit decline aborts, releasing the reservation and charging nothing; auto-approve latches only on an explicit accept).

Re-integrated so the 0.24.x SSRF guard, Content-Length cap, and concurrency-safe reserveBudget reservation all stay intact — the confirmation runs once inside the reserve→record→release flow. 84 unit tests. Full details in CHANGELOG.md.

v0.24.3 — SSRF mapped-IPv6 + thinking-budget floor

Choose a tag to compare

@VickyXAI VickyXAI released this 29 Jun 00:09

A fourth audit pass (regression-hunting the 0.24.1–0.24.2 fixes + packaging/build) found two issues, both in fixes shipped earlier in the 0.24.x line.

  • fix(security) — the image SSRF deny-list (added in 0.24.1) only decoded the decimal ::ffff:127.0.0.1 form, but the URL parser canonicalizes mapped literals to hex (::ffff:7f00:1), so http://[::ffff:169.254.169.254]/ reached cloud metadata and [::ffff:127.0.0.1] reached loopback. The hex ::ffff:hi:lo form is now decoded and blocked; the test exercises the hostname new URL() actually emits.
  • fix(chat)thinking.budget_tokens floor raised to 1024 (Anthropic's minimum); the prior floor of 1 meant [1,1023] always 400'd.

72 unit tests. Full details in CHANGELOG.md.

v0.24.2 — Third-pass audit fixes

Choose a tag to compare

@VickyXAI VickyXAI released this 28 Jun 17:57

Third audit pass — regression-hunting the 0.24.1 changes plus the previously thin Anthropic path, zod schemas, and docs. All low/medium; one is a regression 0.24.1 introduced.

  • fix(chat) — extended-thinking budget_tokens is now folded into the budget reserve (a tiny max_tokens + large thinking budget previously passed a ~$0.02 gate while settling for several dollars) and bounded (int, 1–100000).
  • fix(chat) — native Anthropic data-URI images: accept the jpg alias + parameters, reject unsupported types, skip an unparseable data URI instead of forwarding a broken type:"url" source, and drop an empty-content turn.
  • fix(perf)getChain() no longer scans the home directory on every call (a regression from 0.24.1's empty-session-file fix); it reads just the session file and requires it non-empty.
  • docs(readme) — Node ≥ 20.19, blockrun_realface added to the Base-only lists, blockrun_search noted as covering X/Twitter.

70 unit tests. Full details in CHANGELOG.md.

v0.24.1 — Second-pass audit hardening

Choose a tag to compare

@VickyXAI VickyXAI released this 28 Jun 08:19

A second audit pass (every finding adversarially re-verified) over the 0.24.0 code — including the changes 0.24.0 itself introduced — surfaced a batch of hardening fixes. None critical; the two notable ones are residuals of the 0.24.0 budget work.

Budget integrity

  • High-res video can no longer settle past the cap — the pre-pay gate reserved only the 720p per-second estimate; the real token-priced 402 amount is now re-reserved against the budget before paying (and held through the polling window for concurrent jobs).
  • Concurrent blockrun_chat no longer over-counts / cross-attributes spendwithSettledCost read a shared cumulative counter; each chat call now uses a fresh per-call client so the spend delta isolates that call (was fail-safe — never overspent, but inflated the ledger and misattributed per-agent spend).

Security / robustness

  • SSRF guard on blockrun_image reference-URL fetch — rejects loopback/private/link-local/CGNAT/IPv6-ULA + metadata/internal hosts and re-validates every redirect hop.
  • Bounded fetches for blockrun_dex and the Base balance RPC (no unbounded hang); model cache treats an empty catalogue as not-loaded (was pinned for the full TTL); getChain detects Solana via a usable key, so an empty session file can't pin every tool to an unbuildable client.
  • Video success message reports the billed duration (not a hardcoded 8s); OpenAI inventory comment lists gpt-5.5.

68 unit tests. Full details in CHANGELOG.md.

v0.24.0 — Budget-cap security fixes

Choose a tag to compare

@VickyXAI VickyXAI released this 28 Jun 07:39

A whole-codebase audit (8 review angles, every finding adversarially re-verified) found that the v0.23.0 budget cap — the wallet-drain guardrail — had four independent bypasses. This release closes all of them plus a batch of correctness and robustness fixes.

Security / budget integrity

  • Path traversal in passthrough toolsrpc/surf/modal/phone/exa/search/defi/markets only stripped slashes, so a .. segment (incl. %2e%2e / .%2e / backslash encodings the URL parser normalizes) escaped the namespace and re-routed cheap calls onto expensive paid endpoints, defeating the per-tool budget pre-check and profile scoping. New path-safety guards reject traversal/invalid chain slugs before any spend.
  • Concurrent-spend TOCTOUcheckBudget only read spent; concurrent calls each passed a stale total and overran the cap. New reserveBudget() atomically checks and reserves the estimate, released in finally across all 15 paid tools.
  • routing:"smart" + routing_profile:"free" reserved $0 but routed to a paid model — unmetered drain. Removed the $0 special-case; corrected the misleading schema copy.

Correctness / robustness

  • Manual-402 media tools no longer report a 5xx/429/425 outage as "fund your wallet"; formatError no longer reads $402.50 as a status code; music/video guard the probe-body parse.
  • --profile constructor/__proto__ falls back to full instead of crashing; a lagging RPC no longer yields $NaN USDC; fetchWithTimeout covers a stalled body; remote reference images are rejected by Content-Length before buffering; the key-leak scanner catches bare 64-hex keys.
  • JSON mode now honored on the native anthropic/claude-* path; routing:"smart" + multi-turn messages returns a clear error instead of dropping history.
  • Dead ServerContext removed; realface enroll deduped onto payAndPostJson.

64 unit tests (29 new). Full details in CHANGELOG.md.