@blockrun/mcp 0.24.0 → 0.24.2

package/README.md

@@ -77,7 +77,7 @@ Prompts and a worked example for these are in [`skills/image-prompting/SKILL.md`
 
 ## Prerequisites
 
-- **Node.js ≥ 18** (`node -v`)
+- **Node.js ≥ 20.19** (`node -v`)
 - **~$5 USDC** on Base or Solana (the server auto-creates a wallet on first run; see [Fund your wallet](#fund-your-wallet))
 - **An MCP client**: Claude Code, Claude Desktop, Cursor, Windsurf, or ChatGPT Desktop
 
@@ -175,7 +175,7 @@ Then send USDC (SPL) on the **Solana** network — from Coinbase (pick "Solana")
 
 **Base-only — these fall back to Base regardless of active chain:**
 
-- Tools: `blockrun_image`, `blockrun_music`, `blockrun_speech`, `blockrun_video`, paid stock `blockrun_price`. In Solana mode they return a "switch to Base" message instead of charging.
+- Tools: `blockrun_image`, `blockrun_music`, `blockrun_speech`, `blockrun_video`, paid `blockrun_realface` (enroll/portrait), paid stock `blockrun_price`. In Solana mode they return a "switch to Base" message instead of charging.
 - `blockrun_chat routing:"smart"` (ClawRouter) and native Anthropic (`claude-*`) passthrough — on Solana, pass `model:` or `mode:` explicitly.
 
 > Advanced: chain selection can also be forced before startup via files/env (`~/.blockrun/.chain`, `SOLANA_WALLET_KEY`) — see [Environment Variables](#environment-variables). The `action:"chain"` command above is the recommended path.
@@ -196,7 +196,7 @@ Then send USDC (SPL) on the **Solana** network — from Coinbase (pick "Solana")
 | `blockrun_markets` | Polymarket (markets, candles, trades, orderbooks, leaderboards, smart-wallet PnL/clusters, UMA oracle), Kalshi, Limitless, Opinion, Predict.Fun, dFlow, Binance Futures, cross-platform match + search | $0.001–0.005/query |
 | `blockrun_surf` | Surf (asksurf.ai) — 84 endpoints: CEX market data, on-chain SQL (13 chains, 80+ ClickHouse tables), 100M+ labeled wallets, Polymarket + Kalshi side-by-side, social mindshare, news, search, Surf-1.5 chat with citations | $0.001–0.02/call |
 | `blockrun_exa` | Neural web search (Exa) — research, competitors, papers, URL content | $0.01/query |
-| `blockrun_search` | Grok Live Search — web + news with citations | $0.025 × max_results (default 10) |
+| `blockrun_search` | Grok Live Search — web + X/Twitter + news with citations | $0.025 × max_results (default 10) |
 | `blockrun_dex` | Live DEX prices via DexScreener | free |
 | `blockrun_rpc` | Raw JSON-RPC on 40+ chains (Ethereum, Base, Solana, Bitcoin, Sui, NEAR, ...) via Tatum gateway — eth_call, balances, blocks, logs | $0.002/call |
 | `blockrun_defi` | DefiLlama — protocol TVL, chain TVL, yield pools (APY), token prices | $0.001–0.005/call |
@@ -330,7 +330,7 @@ blockrun_wallet action:"setup"                  # funding instructions for the a
 
 *Advanced (force a chain before startup, e.g. in CI):* `echo solana > ~/.blockrun/.chain` then set `SOLANA_WALLET_KEY` or create `~/.blockrun/.solana-session`; `echo base > ~/.blockrun/.chain` reuses the existing `.session` (same Base wallet). These edit the same preference file that `action:"chain"` writes — prefer the tool unless you need pre-startup control.
 
-Some media and paid market-data tools still settle on Base only: `blockrun_image`, `blockrun_music`, `blockrun_speech`, `blockrun_video`, and paid stock `blockrun_price` calls — plus `blockrun_chat routing:"smart"` and native Anthropic (`claude-*`) passthrough. In Solana mode these return a "switch to Base" message instead of charging.
+Some media and paid market-data tools still settle on Base only: `blockrun_image`, `blockrun_music`, `blockrun_speech`, `blockrun_video`, paid `blockrun_realface` (enroll/portrait), and paid stock `blockrun_price` calls — plus `blockrun_chat routing:"smart"` and native Anthropic (`claude-*`) passthrough. In Solana mode these return a "switch to Base" message instead of charging.
 
 The server also runs a non-blocking npm registry check at startup and prints an `Update available` notice to stderr when a newer `@blockrun/mcp` version exists. Upgrade by re-running the install command — no manual `npm update` needed.
 

package/dist/index.js

@@ -80,7 +80,9 @@ function getChain() {
   if (preferred) return preferred;
   if (process.env.SOLANA_WALLET_KEY) return "solana";
   try {
-    if (fs.existsSync(SOLANA_WALLET_FILE_PATH)) return "solana";
+    if (fs.existsSync(SOLANA_WALLET_FILE_PATH) && fs.readFileSync(SOLANA_WALLET_FILE_PATH, "utf-8").trim()) {
+      return "solana";
+    }
   } catch {
   }
   return "base";
@@ -154,6 +156,10 @@ function buildClientWithTimeout(timeoutMs) {
   const privateKey = getOrCreateWalletKey();
   return new LLMClient({ privateKey, timeout: timeoutMs });
 }
+function buildClient() {
+  if (getChain() === "solana") return buildSolanaClient();
+  return new LLMClient({ privateKey: getOrCreateWalletKey() });
+}
 function getAnthropicClient() {
   if (!_anthropicClient) {
     const privateKey = getOrCreateWalletKey();
@@ -230,7 +236,8 @@ async function getBaseUsdcBalance(address) {
       const response = await fetch(rpcUrl, {
         method: "POST",
         headers: { "Content-Type": "application/json" },
-        body: JSON.stringify(data)
+        body: JSON.stringify(data),
+        signal: AbortSignal.timeout(8e3)
       });
       const result = await response.json();
       const usd = parseBaseUsdcCallResult(result.result);
@@ -248,7 +255,7 @@ async function getChainBalance(chain, address) {
 // src/utils/model-cache.ts
 var CACHE_TTL_MS = 5 * 60 * 1e3;
 async function loadModels(llm, cache) {
-  if (!cache.models) {
+  if (cache.models === null || cache.models.length === 0) {
     cache.models = llm.listAllModels ? await llm.listAllModels() : await llm.listModels();
     setTimeout(() => {
       cache.models = null;
@@ -800,11 +807,14 @@ function isAnthropicModel(model) {
   return /^anthropic\//i.test(id) || /^claude-/i.test(id);
 }
 function parseDataUri(url) {
-  const match = /^data:(image\/(?:jpeg|png|gif|webp));base64,(.+)$/i.exec(url.trim());
+  const match = /^data:image\/([a-z0-9.+-]+)(?:;[^;,]+)*;base64,(.+)$/i.exec(url.trim());
   if (!match) return null;
+  let subtype = match[1].toLowerCase();
+  if (subtype === "jpg") subtype = "jpeg";
+  if (!["jpeg", "png", "gif", "webp"].includes(subtype)) return null;
   return {
     type: "base64",
-    media_type: match[1].toLowerCase(),
+    media_type: `image/${subtype}`,
     data: match[2]
   };
 }
@@ -817,9 +827,13 @@ function toAnthropicContent(content) {
     } else if (part.type === "image_url") {
       const url = part.image_url?.url;
       if (!url) continue;
-      const base64 = parseDataUri(url);
-      const source = base64 ? base64 : { type: "url", url };
-      blocks.push({ type: "image", source });
+      if (/^data:/i.test(url)) {
+        const base64 = parseDataUri(url);
+        if (!base64) continue;
+        blocks.push({ type: "image", source: base64 });
+      } else {
+        blocks.push({ type: "image", source: { type: "url", url } });
+      }
     }
   }
   return blocks;
@@ -855,7 +869,9 @@ async function handleAnthropicNative(args) {
       if (text) systemParts.push(text);
       continue;
     }
-    apiMessages.push({ role: m.role, content: toAnthropicContent(m.content) });
+    const content2 = toAnthropicContent(m.content);
+    if (Array.isArray(content2) && content2.length === 0) continue;
+    apiMessages.push({ role: m.role, content: content2 });
   }
   if (responseFormat?.type === "json_object") {
     systemParts.push("Respond with only valid JSON. Do not wrap it in markdown code fences or add any prose before or after.");
@@ -926,10 +942,10 @@ ${thinkingText}` });
 }
 
 // src/tools/chat.ts
-function estimateChatCost(maxTokens, mode, model, routing, routingProfile) {
+function estimateChatCost(maxTokens, mode, model, routing, routingProfile, thinkingBudget) {
   if (mode === "free") return 0;
   if (model?.startsWith("nvidia/")) return 0;
-  const out = Math.max(maxTokens ?? 1024, 256);
+  const out = Math.max((maxTokens ?? 1024) + (thinkingBudget ?? 0), 256);
   const frontierReserve = Math.max(0.01, out / 1e6 * 20);
   if (routing === "smart") {
     switch (routingProfile) {
@@ -982,7 +998,7 @@ Run blockrun_models to see all available models with pricing.`,
         stop: z2.array(z2.string()).max(4).optional().describe("Up to 4 stop sequences; generation halts when any is produced"),
         thinking: z2.object({
           type: z2.literal("enabled"),
-          budget_tokens: z2.number().min(1).describe("Tokens Claude may spend reasoning before answering. max_tokens is auto-raised above this if needed.")
+          budget_tokens: z2.number().int().min(1).max(1e5).describe("Tokens Claude may spend reasoning before answering (1\u2013100000). max_tokens is auto-raised above this if needed; counts toward the budget reserve.")
         }).optional().describe("Anthropic extended thinking. Only honored for anthropic/claude-* models \u2014 these go direct to the native /v1/messages endpoint and the response includes verbatim type:'thinking' blocks with their original signature. Ignored for non-Claude models (no native thinking channel)."),
         agent_id: z2.string().optional().describe("Agent identifier. If a budget was delegated for this agent_id via blockrun_wallet action:'delegate', spending is tracked and enforced. The agent is hard-stopped when its budget is exhausted."),
         messages: z2.array(z2.object({
@@ -998,9 +1014,9 @@ Run blockrun_models to see all available models with pricing.`,
       }
     },
     async ({ message, model, mode, routing, routing_profile, system, max_tokens, temperature, response_format, stop, thinking, agent_id, messages }) => {
-      const llm = getClient();
+      const llm = buildClient();
       const responseFormat = response_format ? { type: response_format } : void 0;
-      const estimatedCost = estimateChatCost(max_tokens, mode, model, routing, routing_profile);
+      const estimatedCost = estimateChatCost(max_tokens, mode, model, routing, routing_profile, thinking?.budget_tokens);
       const gate = reserveBudget(budget, agent_id, estimatedCost);
       if (!gate.allowed) {
         return {
@@ -1215,6 +1231,41 @@ ${lines.join("\n")}` }],
 // src/tools/image.ts
 import { z as z4 } from "zod";
 import { PaymentError } from "@blockrun/llm";
+
+// src/utils/ssrf.ts
+function ipv4Blocked(host) {
+  const m = /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/.exec(host);
+  if (!m) return null;
+  const o = m.slice(1).map(Number);
+  if (o.some((n) => n > 255)) return true;
+  const [a, b] = o;
+  return a === 0 || // 0.0.0.0/8
+  a === 127 || // loopback
+  a === 10 || // private
+  a === 172 && b >= 16 && b <= 31 || // private
+  a === 192 && b === 168 || // private
+  a === 169 && b === 254 || // link-local (incl. metadata)
+  a === 100 && b >= 64 && b <= 127;
+}
+function isBlockedFetchHost(hostname) {
+  let host = hostname.trim().toLowerCase();
+  if (host.startsWith("[") && host.endsWith("]")) host = host.slice(1, -1);
+  if (!host) return true;
+  if (host === "localhost" || host.endsWith(".localhost")) return true;
+  if (host.endsWith(".internal") || host.endsWith(".local")) return true;
+  const v4 = ipv4Blocked(host);
+  if (v4 !== null) return v4;
+  if (host.includes(":")) {
+    if (host === "::1" || host === "::") return true;
+    if (host.startsWith("fc") || host.startsWith("fd") || host.startsWith("fe80")) return true;
+    const mapped = /^::ffff:(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$/.exec(host);
+    if (mapped) return ipv4Blocked(mapped[1]) === true;
+    return false;
+  }
+  return false;
+}
+
+// src/tools/image.ts
 import { readFile } from "fs/promises";
 var REFERENCE_IMAGE_MAX_BYTES = 4e6;
 var IMAGE_EXT_MIME = {
@@ -1230,7 +1281,22 @@ async function toImageDataUri(ref) {
     const ctrl = new AbortController();
     const timeout = setTimeout(() => ctrl.abort(), 3e4);
     try {
-      const res = await fetch(ref, { signal: ctrl.signal });
+      let url = ref;
+      let res;
+      for (let hop = 0; ; hop++) {
+        const host = new URL(url).hostname;
+        if (isBlockedFetchHost(host)) {
+          throw new Error(`refusing to fetch a private/loopback/link-local address: ${host}`);
+        }
+        res = await fetch(url, { signal: ctrl.signal, redirect: "manual" });
+        const location = res.headers.get("location");
+        if (res.status >= 300 && res.status < 400 && location) {
+          if (hop >= 5) throw new Error("too many redirects");
+          url = new URL(location, url).toString();
+          continue;
+        }
+        break;
+      }
       if (!res.ok) throw new Error(`fetch failed: ${res.status} ${res.statusText}`);
       const mime2 = (res.headers.get("content-type") || "").toLowerCase().split(";")[0].trim();
       if (!mime2.startsWith("image/")) throw new Error(`URL returned non-image content-type: ${mime2 || "(none)"}`);
@@ -2012,6 +2078,13 @@ Returns a permanent blockrun-hosted MP4 URL (the gateway mirrors the asset to GC
         const paymentRequired = parsePaymentRequired3(prHeader);
         const details = extractPaymentDetails3(paymentRequired);
         const settledUsd = amountToUsd(details.amount);
+        if (settledUsd !== null && settledUsd > estimatedCost) {
+          gate?.release();
+          gate = reserveBudget(budget, agent_id, settledUsd);
+          if (!gate.allowed) {
+            return { content: [{ type: "text", text: `${gate.reason}. Use blockrun_wallet action:"report" to see usage or action:"delegate" to increase agent budget.` }], isError: true };
+          }
+        }
         const paymentPayload = await createPaymentPayload3(
           privateKey,
           account.address,
@@ -2088,7 +2161,7 @@ Returns a permanent blockrun-hosted MP4 URL (the gateway mirrors the asset to GC
         const lines = [
           `\u{1F3AC} Video ready!`,
           `URL: ${completed.url}`,
-          `Duration: ${completed.duration_seconds ? `${completed.duration_seconds}s` : "8s"}`,
+          `Duration: ${completed.duration_seconds ?? billedSeconds}s`,
           `Model: ${completed.modelReturned || selectedModel}`,
           ...completed.backed_up ? [`Backed up to BlockRun storage (URL is permanent)`] : completed.source_url ? [`Source URL: ${completed.source_url}`] : [],
           ...completed.request_id ? [`Request ID: ${completed.request_id}`] : [],
@@ -2887,7 +2960,7 @@ Examples:
             isError: true
           };
         }
-        const response = await fetch(url);
+        const response = await fetchWithTimeout(url, {}, 8e3);
         if (!response.ok) {
           throw new Error(`DexScreener API error: ${response.status}`);
         }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blockrun/mcp",
-  "version": "0.24.0",
+  "version": "0.24.2",
   "mcpName": "io.github.BlockRunAI/blockrun-mcp",
   "description": "BlockRun MCP Server - Give your AI agent web search, deep research, prediction markets, crypto data, X/Twitter intelligence. Paid via x402 micropayments.",
   "type": "module",