Releases: BlockRunAI/blockrun-mcp
Release list
v0.30.2 — neg-risk trading fix (pUSD→NegRisk Adapter approval)
Fixes real-money trading on neg-risk (multi-outcome "winner") markets.
fix(polymarket)— grant the missing pUSD → NegRisk Adapter approval.setupapproved pUSD spend for only the two exchanges while giving the adapter a CTF operator approval but not the pUSD one — so a funded, exchange-approved vault had its neg-risk orders accepted by the CLOB then reverted in settlement. The pUSD spender set now matches Polymarket's canonicalapproveTokensForTrading(both exchanges + NegRisk Adapter + Conditional Tokens). Existing deposit wallets self-correct: re-runaction:"setup" confirm:trueonce to sign the new approval.fix(polymarket)— buy/sell now self-heal a stale CLOB balance cache: on anot enough balance/allowancerejection, refreshupdateBalanceAllowanceand retry the submit once;setupno longer silently swallows a failed cache warm-up.docs— document the full canonical approval set + neg-risk troubleshooting (README, setup guide, skill).
152 tests, typecheck, build, and stdio MCP smoke (19 tools) green.
v0.26.0 — media tools report USDC cost
blockrun_image, blockrun_video, and blockrun_music now surface the USDC cost in their result: a Cost: $X.XXXX line in the text output and a cost_usd field in structuredContent, matching blockrun_speech / blockrun_realface. Video and music report the real 402-settled amount (token-priced upstream, so 1080p/4K clips and long tracks can exceed the per-unit estimate); image uses the catalog estimate on Base and the 402 amount on Solana, each falling back to the estimate only if the quote doesn't parse. No new spend path and no change to what is charged — the figure shown is the same amount already booked to the budget ledger. Adds handler-level tests (HTTP + x402 mocked, no network/no spend). Typecheck clean, 109 tests pass, build + 18-tool stdio smoke green.
v0.25.3 — audit pass: budget-gate + pricing hardening, SSRF FQDN fix
A multi-agent audit pass (finder fan-out across the payment path + freshly-merged Solana image code, each finding adversarially verified) surfaced six real issues — all fixed. Two are budget-gate bypasses on the most-used tools; one is an SSRF deny-list gap.
- fix(chat) — reserve the frontier worst-case for
balanced/coding/default modes (the default chat path was reserving 6–20× too little, defeating the cap under concurrency). - security(ssrf) — strip trailing dots so an FQDN (
metadata.google.internal.,localhost.) can't bypass theblockrun_imagefetch deny-list. - fix(phone,surf) — price on a normalized path so a query string / trailing slash can't downgrade an expensive route (e.g. the $5
phone/numbers/buy) to the $0.001 default while the gateway charges full. - fix(image) — re-reserve the Solana quote against the budget before signing, so a marked-up settlement can't blow the cap (mirrors
blockrun_video). - fix(music) — keep the EIP-3009 authorization valid through the whole submit+poll window (was expiring at 300s, failing settlement for slow tracks).
- fix(speech,music) — book settled spend before parsing the response body, so a truncated body can't un-record a real on-chain charge.
103 tests (13 new) + typecheck + build + 18-tool stdio smoke green. No breaking changes.
v0.25.2 — patch the ws DoS dependency chain
Dependency security: a pinned viem transitive ws@8.20.1 (below the ≥8.21.0 patch) was flagging the whole ws → viem → @x402/evm → @blockrun/clawrouter → @blockrun/llm chain (5 high). An overrides entry forces viem's ws to 8.21.0 — clearing all of them (npm audit 15 → 11). The override ships in package.json, so every npx install gets the patched ws.
Remaining advisories are out of this repo's control: the Solana web3.js-v1 tree (no upstream fix for bigint-buffer; npm's only "fix" is a breaking downgrade), the intentional rpc-websockets@9.3.0 pin (bumping re-introduces the Node <20.19 ESM break), and a dev-only esbuild.
Also fixed at the source in @blockrun/llm@3.5.1 (pnpm overrides for ws+form-data, dev-tool bump — 0 critical, runtime highs cleared). No source changes; 84 tests + build + live wallet smoke green.
v0.25.1 — validate 0.25.0 env knobs
Hardening for the v0.25.0 opt-in image features (delta-audited, adversarially verified). Both findings low/quality, same root cause: bare Number(env || default) doesn't catch a malformed value.
fix(image)— a typo'd numeric env becameNaNand silently changed behavior:BLOCKRUN_CONFIRM_THRESHOLD="$0.05"flipped the confirm gate to ask-on-every-call, and (fail-open) a malformedBLOCKRUN_INLINE_MAX_BYTESremoved the inline base64 context cap (data.length > NaNis always false).confirm-spendnow reuses the validatedparseBudgetLimitEnv;inline-imageuses a validatingenvInt(falls back on non-finite/non-positive, clamps quality 1–100). No change for valid configs.
84 unit tests. Full details in CHANGELOG.md.
v0.25.0 — image inline preview + opt-in spend confirmation
Lands #21 (thanks @KillerQueen-Z!) — re-integrated on top of the 0.24.x charge path. Two opt-in blockrun_image UX layers, both default to prior behavior:
- Inline preview —
inlineparam (orBLOCKRUN_INLINE_IMAGES=1) returns a downscaled JPEG thumbnail as atype:"image"block alongside the full-res URL, so rich clients render it in-conversation. Best-effort with source download/decode caps; tunable viaBLOCKRUN_INLINE_MAX_DIM/_QUALITY/_MAX_BYTES. - Spend confirmation — MCP elicitation before charging, with an "approve all this session" checkbox. Off by default (
BLOCKRUN_CONFIRM_SPEND=on); fails open (only an explicit decline aborts, releasing the reservation and charging nothing; auto-approve latches only on an explicit accept).
Re-integrated so the 0.24.x SSRF guard, Content-Length cap, and concurrency-safe reserveBudget reservation all stay intact — the confirmation runs once inside the reserve→record→release flow. 84 unit tests. Full details in CHANGELOG.md.
v0.24.3 — SSRF mapped-IPv6 + thinking-budget floor
A fourth audit pass (regression-hunting the 0.24.1–0.24.2 fixes + packaging/build) found two issues, both in fixes shipped earlier in the 0.24.x line.
fix(security)— the image SSRF deny-list (added in 0.24.1) only decoded the decimal::ffff:127.0.0.1form, but the URL parser canonicalizes mapped literals to hex (::ffff:7f00:1), sohttp://[::ffff:169.254.169.254]/reached cloud metadata and[::ffff:127.0.0.1]reached loopback. The hex::ffff:hi:loform is now decoded and blocked; the test exercises the hostnamenew URL()actually emits.fix(chat)—thinking.budget_tokensfloor raised to 1024 (Anthropic's minimum); the prior floor of 1 meant[1,1023]always 400'd.
72 unit tests. Full details in CHANGELOG.md.
v0.24.2 — Third-pass audit fixes
Third audit pass — regression-hunting the 0.24.1 changes plus the previously thin Anthropic path, zod schemas, and docs. All low/medium; one is a regression 0.24.1 introduced.
fix(chat)— extended-thinkingbudget_tokensis now folded into the budget reserve (a tinymax_tokens+ large thinking budget previously passed a ~$0.02 gate while settling for several dollars) and bounded (int, 1–100000).fix(chat)— native Anthropic data-URI images: accept thejpgalias + parameters, reject unsupported types, skip an unparseable data URI instead of forwarding a brokentype:"url"source, and drop an empty-content turn.fix(perf)—getChain()no longer scans the home directory on every call (a regression from 0.24.1's empty-session-file fix); it reads just the session file and requires it non-empty.docs(readme)— Node ≥ 20.19,blockrun_realfaceadded to the Base-only lists,blockrun_searchnoted as covering X/Twitter.
70 unit tests. Full details in CHANGELOG.md.
v0.24.1 — Second-pass audit hardening
A second audit pass (every finding adversarially re-verified) over the 0.24.0 code — including the changes 0.24.0 itself introduced — surfaced a batch of hardening fixes. None critical; the two notable ones are residuals of the 0.24.0 budget work.
Budget integrity
- High-res video can no longer settle past the cap — the pre-pay gate reserved only the 720p per-second estimate; the real token-priced 402 amount is now re-reserved against the budget before paying (and held through the polling window for concurrent jobs).
- Concurrent
blockrun_chatno longer over-counts / cross-attributes spend —withSettledCostread a shared cumulative counter; each chat call now uses a fresh per-call client so the spend delta isolates that call (was fail-safe — never overspent, but inflated the ledger and misattributed per-agent spend).
Security / robustness
- SSRF guard on
blockrun_imagereference-URL fetch — rejects loopback/private/link-local/CGNAT/IPv6-ULA + metadata/internal hosts and re-validates every redirect hop. - Bounded fetches for
blockrun_dexand the Base balance RPC (no unbounded hang); model cache treats an empty catalogue as not-loaded (was pinned for the full TTL);getChaindetects Solana via a usable key, so an empty session file can't pin every tool to an unbuildable client. - Video success message reports the billed duration (not a hardcoded 8s); OpenAI inventory comment lists
gpt-5.5.
68 unit tests. Full details in CHANGELOG.md.
v0.24.0 — Budget-cap security fixes
A whole-codebase audit (8 review angles, every finding adversarially re-verified) found that the v0.23.0 budget cap — the wallet-drain guardrail — had four independent bypasses. This release closes all of them plus a batch of correctness and robustness fixes.
Security / budget integrity
- Path traversal in passthrough tools —
rpc/surf/modal/phone/exa/search/defi/marketsonly stripped slashes, so a..segment (incl.%2e%2e/.%2e/ backslash encodings the URL parser normalizes) escaped the namespace and re-routed cheap calls onto expensive paid endpoints, defeating the per-tool budget pre-check and profile scoping. Newpath-safetyguards reject traversal/invalid chain slugs before any spend. - Concurrent-spend TOCTOU —
checkBudgetonly readspent; concurrent calls each passed a stale total and overran the cap. NewreserveBudget()atomically checks and reserves the estimate, released infinallyacross all 15 paid tools. routing:"smart"+routing_profile:"free"reserved$0but routed to a paid model — unmetered drain. Removed the$0special-case; corrected the misleading schema copy.
Correctness / robustness
- Manual-402 media tools no longer report a 5xx/429/425 outage as "fund your wallet";
formatErrorno longer reads$402.50as a status code;music/videoguard the probe-body parse. --profile constructor/__proto__falls back tofullinstead of crashing; a lagging RPC no longer yields$NaN USDC;fetchWithTimeoutcovers a stalled body; remote reference images are rejected byContent-Lengthbefore buffering; the key-leak scanner catches bare 64-hex keys.- JSON mode now honored on the native
anthropic/claude-*path;routing:"smart"+ multi-turnmessagesreturns a clear error instead of dropping history. - Dead
ServerContextremoved;realfaceenroll deduped ontopayAndPostJson.
64 unit tests (29 new). Full details in CHANGELOG.md.