npm - @blockrun/mcp - Versions diffs - 0.24.0 → 0.24.1 - Mend

@blockrun/mcp 0.24.0 → 0.24.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/dist/index.js +70 -9
package/package.json +1 -1

package/dist/index.js CHANGED Viewed

@@ -20,8 +20,7 @@ import {
   loadSolanaWallet,
   getPaymentLinks,
   formatWalletCreatedMessage,
-  formatNeedsFundingMessage,
-  SOLANA_WALLET_FILE_PATH
+  formatNeedsFundingMessage
 } from "@blockrun/llm";
 // src/utils/constants.ts
@@ -80,7 +79,7 @@ function getChain() {
   if (preferred) return preferred;
   if (process.env.SOLANA_WALLET_KEY) return "solana";
   try {
-    if (fs.existsSync(SOLANA_WALLET_FILE_PATH)) return "solana";
+    if (loadSolanaWallet()) return "solana";
   } catch {
   }
   return "base";
@@ -154,6 +153,10 @@ function buildClientWithTimeout(timeoutMs) {
   const privateKey = getOrCreateWalletKey();
   return new LLMClient({ privateKey, timeout: timeoutMs });
 }
+function buildClient() {
+  if (getChain() === "solana") return buildSolanaClient();
+  return new LLMClient({ privateKey: getOrCreateWalletKey() });
+}
 function getAnthropicClient() {
   if (!_anthropicClient) {
     const privateKey = getOrCreateWalletKey();
@@ -230,7 +233,8 @@ async function getBaseUsdcBalance(address) {
       const response = await fetch(rpcUrl, {
         method: "POST",
         headers: { "Content-Type": "application/json" },
-        body: JSON.stringify(data)
+        body: JSON.stringify(data),
+        signal: AbortSignal.timeout(8e3)
       });
       const result = await response.json();
       const usd = parseBaseUsdcCallResult(result.result);
@@ -248,7 +252,7 @@ async function getChainBalance(chain, address) {
 // src/utils/model-cache.ts
 var CACHE_TTL_MS = 5 * 60 * 1e3;
 async function loadModels(llm, cache) {
-  if (!cache.models) {
+  if (cache.models === null || cache.models.length === 0) {
     cache.models = llm.listAllModels ? await llm.listAllModels() : await llm.listModels();
     setTimeout(() => {
       cache.models = null;
@@ -998,7 +1002,7 @@ Run blockrun_models to see all available models with pricing.`,
       }
     },
     async ({ message, model, mode, routing, routing_profile, system, max_tokens, temperature, response_format, stop, thinking, agent_id, messages }) => {
-      const llm = getClient();
+      const llm = buildClient();
       const responseFormat = response_format ? { type: response_format } : void 0;
       const estimatedCost = estimateChatCost(max_tokens, mode, model, routing, routing_profile);
       const gate = reserveBudget(budget, agent_id, estimatedCost);
@@ -1215,6 +1219,41 @@ ${lines.join("\n")}` }],
 // src/tools/image.ts
 import { z as z4 } from "zod";
 import { PaymentError } from "@blockrun/llm";
+// src/utils/ssrf.ts
+function ipv4Blocked(host) {
+  const m = /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/.exec(host);
+  if (!m) return null;
+  const o = m.slice(1).map(Number);
+  if (o.some((n) => n > 255)) return true;
+  const [a, b] = o;
+  return a === 0 || // 0.0.0.0/8
+  a === 127 || // loopback
+  a === 10 || // private
+  a === 172 && b >= 16 && b <= 31 || // private
+  a === 192 && b === 168 || // private
+  a === 169 && b === 254 || // link-local (incl. metadata)
+  a === 100 && b >= 64 && b <= 127;
+}
+function isBlockedFetchHost(hostname) {
+  let host = hostname.trim().toLowerCase();
+  if (host.startsWith("[") && host.endsWith("]")) host = host.slice(1, -1);
+  if (!host) return true;
+  if (host === "localhost" || host.endsWith(".localhost")) return true;
+  if (host.endsWith(".internal") || host.endsWith(".local")) return true;
+  const v4 = ipv4Blocked(host);
+  if (v4 !== null) return v4;
+  if (host.includes(":")) {
+    if (host === "::1" || host === "::") return true;
+    if (host.startsWith("fc") || host.startsWith("fd") || host.startsWith("fe80")) return true;
+    const mapped = /^::ffff:(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$/.exec(host);
+    if (mapped) return ipv4Blocked(mapped[1]) === true;
+    return false;
+  }
+  return false;
+}
+// src/tools/image.ts
 import { readFile } from "fs/promises";
 var REFERENCE_IMAGE_MAX_BYTES = 4e6;
 var IMAGE_EXT_MIME = {
@@ -1230,7 +1269,22 @@ async function toImageDataUri(ref) {
     const ctrl = new AbortController();
     const timeout = setTimeout(() => ctrl.abort(), 3e4);
     try {
-      const res = await fetch(ref, { signal: ctrl.signal });
+      let url = ref;
+      let res;
+      for (let hop = 0; ; hop++) {
+        const host = new URL(url).hostname;
+        if (isBlockedFetchHost(host)) {
+          throw new Error(`refusing to fetch a private/loopback/link-local address: ${host}`);
+        }
+        res = await fetch(url, { signal: ctrl.signal, redirect: "manual" });
+        const location = res.headers.get("location");
+        if (res.status >= 300 && res.status < 400 && location) {
+          if (hop >= 5) throw new Error("too many redirects");
+          url = new URL(location, url).toString();
+          continue;
+        }
+        break;
+      }
       if (!res.ok) throw new Error(`fetch failed: ${res.status} ${res.statusText}`);
       const mime2 = (res.headers.get("content-type") || "").toLowerCase().split(";")[0].trim();
       if (!mime2.startsWith("image/")) throw new Error(`URL returned non-image content-type: ${mime2 || "(none)"}`);
@@ -2012,6 +2066,13 @@ Returns a permanent blockrun-hosted MP4 URL (the gateway mirrors the asset to GC
         const paymentRequired = parsePaymentRequired3(prHeader);
         const details = extractPaymentDetails3(paymentRequired);
         const settledUsd = amountToUsd(details.amount);
+        if (settledUsd !== null && settledUsd > estimatedCost) {
+          gate?.release();
+          gate = reserveBudget(budget, agent_id, settledUsd);
+          if (!gate.allowed) {
+            return { content: [{ type: "text", text: `${gate.reason}. Use blockrun_wallet action:"report" to see usage or action:"delegate" to increase agent budget.` }], isError: true };
+          }
+        }
         const paymentPayload = await createPaymentPayload3(
           privateKey,
           account.address,
@@ -2088,7 +2149,7 @@ Returns a permanent blockrun-hosted MP4 URL (the gateway mirrors the asset to GC
         const lines = [
           `\u{1F3AC} Video ready!`,
           `URL: ${completed.url}`,
-          `Duration: ${completed.duration_seconds ? `${completed.duration_seconds}s` : "8s"}`,
+          `Duration: ${completed.duration_seconds ?? billedSeconds}s`,
           `Model: ${completed.modelReturned || selectedModel}`,
           ...completed.backed_up ? [`Backed up to BlockRun storage (URL is permanent)`] : completed.source_url ? [`Source URL: ${completed.source_url}`] : [],
           ...completed.request_id ? [`Request ID: ${completed.request_id}`] : [],
@@ -2887,7 +2948,7 @@ Examples:
             isError: true
           };
         }
-        const response = await fetch(url);
+        const response = await fetchWithTimeout(url, {}, 8e3);
         if (!response.ok) {
           throw new Error(`DexScreener API error: ${response.status}`);
         }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@blockrun/mcp",
-  "version": "0.24.0",
+  "version": "0.24.1",
   "mcpName": "io.github.BlockRunAI/blockrun-mcp",
   "description": "BlockRun MCP Server - Give your AI agent web search, deep research, prediction markets, crypto data, X/Twitter intelligence. Paid via x402 micropayments.",
   "type": "module",