@blockrun/mcp 0.7.0 → 0.7.2

package/dist/index.js

@@ -590,18 +590,22 @@ function registerImageTool(server) {
   server.registerTool(
     "blockrun_image",
     {
-      description: `Generate or edit images via BlockRun.
+      description: `Generate or edit images via BlockRun. Pays with USDC \u2014 no separate API keys needed.
 
 Actions:
 - generate (default): Create image from text prompt
 - edit: Transform an existing image using img2img
 
-Generation models: openai/dall-e-3 ($0.04-0.08), together/flux-schnell ($0.02), google/nano-banana
+Generation models:
+- zai/cogview-4 ($0.02) \u2014 Zhipu CogView-4, photorealistic, great for detailed scenes
+- openai/dall-e-3 ($0.04-0.08) \u2014 High quality, prompt adherence
+- together/flux-schnell ($0.02) \u2014 Fast, stylized
+- google/nano-banana \u2014 Google image model
 Edit models: openai/gpt-image-1 (default for edits)`,
       inputSchema: {
         prompt: z4.string().describe("Image description or edit instructions"),
         action: z4.enum(["generate", "edit"]).optional().default("generate").describe("generate: create from text; edit: transform existing image"),
-        model: z4.enum(["openai/dall-e-3", "together/flux-schnell", "google/nano-banana", "openai/gpt-image-1"]).optional().describe("Model to use (default: dall-e-3 for generate, gpt-image-1 for edit)"),
+        model: z4.enum(["zai/cogview-4", "openai/dall-e-3", "together/flux-schnell", "google/nano-banana", "openai/gpt-image-1"]).optional().describe("Model to use (default: dall-e-3 for generate, gpt-image-1 for edit). zai/cogview-4 is Zhipu's photorealistic model."),
         image: z4.string().optional().describe("Source image for edit action: base64-encoded image or URL"),
         size: z4.enum(["1024x1024", "1792x1024", "1024x1792"]).optional().default("1024x1024"),
         quality: z4.enum(["standard", "hd"]).optional().default("standard")
@@ -938,10 +942,10 @@ $0.001/call.`,
         body: z8.any().optional().describe("JSON body for POST queries (triggers pmQuery)")
       }
     },
-    async ({ path: path2, params, body }) => {
+    async ({ path: path3, params, body }) => {
       try {
         const llm = getClient();
-        const result = body ? await llm.pmQuery(path2, body) : await llm.pm(path2, params);
+        const result = body ? await llm.pmQuery(path3, body) : await llm.pm(path3, params);
         return {
           content: [{ type: "text", text: JSON.stringify(result, null, 2) }],
           structuredContent: result
@@ -1038,170 +1042,88 @@ ${lines.join("\n\n")}` }],
   );
 }
 
-// src/tools/glm-vision.ts
+// src/tools/modal.ts
 import { z as z10 } from "zod";
-var ZHIPU_BASE_URL = "https://open.bigmodel.cn/api/paas/v4";
-async function callGLMVision(model, prompt, imageUrl, thinking = false) {
-  const apiKey = process.env.ZHIPU_API_KEY;
-  if (!apiKey) throw new Error("ZHIPU_API_KEY environment variable is required for GLM Vision");
-  const payload = {
-    model,
-    messages: [
-      {
-        role: "user",
-        content: [
-          { type: "image_url", image_url: { url: imageUrl } },
-          { type: "text", text: prompt }
-        ]
-      }
-    ],
-    temperature: 0.8,
-    top_p: 0.6,
-    max_tokens: 16384,
-    stream: false
-  };
-  if (thinking || model.includes("thinking")) {
-    payload["thinking"] = { type: "enabled" };
-  }
-  const res = await fetch(`${ZHIPU_BASE_URL}/chat/completions`, {
-    method: "POST",
-    headers: {
-      "Content-Type": "application/json",
-      Authorization: `Bearer ${apiKey}`
-    },
-    body: JSON.stringify(payload)
-  });
-  if (!res.ok) {
-    const err = await res.text().catch(() => res.statusText);
-    throw new Error(`GLM Vision API error ${res.status}: ${err}`);
-  }
-  const data = await res.json();
-  const choice = data.choices?.[0];
-  if (!choice) throw new Error("No response from GLM Vision");
-  if (choice.finish_reason === "sensitive") throw new Error("Content blocked by safety filter");
-  return choice.message.content;
-}
-async function callGLMOCR(fileUrl, startPage = 1, endPage) {
-  const apiKey = process.env.ZHIPU_API_KEY;
-  if (!apiKey) throw new Error("ZHIPU_API_KEY environment variable is required for GLM OCR");
-  const payload = {
-    model: "glm-ocr",
-    file: fileUrl,
-    return_crop_images: false,
-    need_layout_visualization: false,
-    start_page_id: startPage
-  };
-  if (endPage) payload["end_page_id"] = endPage;
-  const res = await fetch(`${ZHIPU_BASE_URL}/layout_parsing`, {
-    method: "POST",
-    headers: {
-      "Content-Type": "application/json",
-      Authorization: `Bearer ${apiKey}`
-    },
-    body: JSON.stringify(payload)
-  });
-  if (!res.ok) {
-    const err = await res.text().catch(() => res.statusText);
-    throw new Error(`GLM OCR API error ${res.status}: ${err}`);
-  }
-  const data = await res.json();
-  return data.markdown_result || data.choices?.[0]?.message?.content || JSON.stringify(data);
-}
-async function callGLMImageGen(prompt, size, quality) {
-  const apiKey = process.env.ZHIPU_API_KEY;
-  if (!apiKey) throw new Error("ZHIPU_API_KEY environment variable is required for GLM Image Gen");
-  const res = await fetch(`${ZHIPU_BASE_URL}/images/generations`, {
-    method: "POST",
-    headers: {
-      "Content-Type": "application/json",
-      Authorization: `Bearer ${apiKey}`
-    },
-    body: JSON.stringify({
-      model: "cogview-4-250304",
-      prompt,
-      size,
-      quality,
-      watermark_enabled: false
-    })
-  });
-  if (!res.ok) {
-    const err = await res.text().catch(() => res.statusText);
-    throw new Error(`GLM Image API error ${res.status}: ${err}`);
-  }
-  const data = await res.json();
-  const url = data.data?.[0]?.url;
-  if (!url) throw new Error("No image URL in GLM response");
-  return url;
-}
-function registerGLMVisionTool(server) {
+var MODAL_GPU_TYPES = ["T4", "L4", "A10G", "A100", "A100-80GB", "H100"];
+function registerModalTool(server) {
   server.registerTool(
-    "blockrun_glm_vision",
+    "blockrun_modal",
     {
-      description: `Analyze images and documents using Zhipu AI's GLM vision models.
+      description: `Run isolated code in a BlockRun-hosted Modal sandbox.
 
-Requires ZHIPU_API_KEY environment variable.
-
-Actions:
-- caption: Describe what's in an image
-- analyze: Deep analysis of an image (objects, layout, text, colors)
-- grounding: Locate specific elements in an image (returns bounding boxes)
-- code: Generate code from a UI screenshot or mockup
-- ocr: Extract text from a document/PDF (use file URL)
-- imagegen: Generate an image using CogView-4
+Use this when you need:
+- a disposable remote container
+- GPU access
+- a clean environment that will not affect the local machine
+- a safer place to run untrusted or heavy code
 
-Models:
-- glm-4.6v (default): Best quality vision model
-- glm-4.6v-flash: Faster, cheaper
-- glm-4.1v-thinking-flash: With reasoning/thinking
+Prefer local tools for normal repo work. Modal is best for isolation or remote execution.
 
-Cost: Zhipu AI pricing (separate from BlockRun x402 \u2014 uses ZHIPU_API_KEY)`,
+Pricing:
+- create: $0.01
+- exec/status/terminate: $0.001 each`,
       inputSchema: {
-        action: z10.enum(["caption", "analyze", "grounding", "code", "ocr", "imagegen"]).describe("Task to perform"),
-        image: z10.string().optional().describe("Image URL or base64 data URI (for vision actions)"),
-        prompt: z10.string().optional().describe("Custom prompt or question about the image. For imagegen: the image description"),
-        model: z10.enum(["glm-4.6v", "glm-4.6v-flash", "glm-4.1v-thinking-flash"]).optional().default("glm-4.6v").describe("Vision model to use"),
-        size: z10.enum(["1280x1280", "1280x720", "720x1280", "1024x1024"]).optional().default("1280x1280").describe("Image size (for imagegen)"),
-        quality: z10.enum(["hd", "standard"]).optional().default("hd").describe("Image quality (for imagegen)"),
-        start_page: z10.number().optional().default(1).describe("Start page for OCR (PDF)"),
-        end_page: z10.number().optional().describe("End page for OCR (PDF)")
+        action: z10.enum(["create", "exec", "status", "terminate"]).describe(
+          "Sandbox action to perform"
+        ),
+        sandbox_id: z10.string().optional().describe("Sandbox ID returned by a previous create"),
+        command: z10.array(z10.string()).optional().describe('Command array for exec, for example ["python", "-c", "print(2+2)"]'),
+        image: z10.string().optional().describe("Container image for create (default: python:3.11)"),
+        timeout: z10.number().optional().describe("Timeout in seconds for create or exec"),
+        cpu: z10.number().optional().describe("CPU cores for create"),
+        memory: z10.number().optional().describe("Memory in MB for create"),
+        gpu: z10.enum(MODAL_GPU_TYPES).optional().describe("Optional GPU type for create"),
+        setup_commands: z10.array(z10.string()).optional().describe("Shell commands to run during sandbox setup")
       }
     },
-    async ({ action, image, prompt, model, size, quality, start_page, end_page }) => {
+    async ({ action, sandbox_id, command, image, timeout, cpu, memory, gpu, setup_commands }) => {
       try {
-        if (action === "imagegen") {
-          const imagePrompt = prompt || image || "";
-          if (!imagePrompt) {
-            return { content: [{ type: "text", text: formatError("prompt is required for imagegen action") }], isError: true };
-          }
-          const url = await callGLMImageGen(imagePrompt, size ?? "1280x1280", quality ?? "hd");
-          return {
-            content: [{ type: "text", text: `Generated image: ${url}` }],
-            structuredContent: { url }
-          };
-        }
-        if (action === "ocr") {
-          const fileUrl = image || prompt;
-          if (!fileUrl) {
-            return { content: [{ type: "text", text: formatError("image (PDF URL) is required for OCR") }], isError: true };
-          }
-          const result2 = await callGLMOCR(fileUrl, start_page ?? 1, end_page);
-          return { content: [{ type: "text", text: result2 }] };
-        }
-        if (!image) {
-          return { content: [{ type: "text", text: formatError("image is required for vision actions") }], isError: true };
+        const llm = getClient();
+        const req = llm;
+        let result;
+        switch (action) {
+          case "create":
+            result = await req.requestWithPaymentRaw("/v1/modal/sandbox/create", {
+              image,
+              timeout,
+              cpu,
+              memory,
+              gpu,
+              setup_commands
+            });
+            break;
+          case "exec":
+            if (!sandbox_id) throw new Error("sandbox_id required for exec action");
+            if (!command?.length) throw new Error("command array required for exec action");
+            result = await req.requestWithPaymentRaw("/v1/modal/sandbox/exec", {
+              sandbox_id,
+              command,
+              timeout
+            });
+            break;
+          case "status":
+            if (!sandbox_id) throw new Error("sandbox_id required for status action");
+            result = await req.requestWithPaymentRaw("/v1/modal/sandbox/status", { sandbox_id });
+            break;
+          case "terminate":
+            if (!sandbox_id) throw new Error("sandbox_id required for terminate action");
+            result = await req.requestWithPaymentRaw("/v1/modal/sandbox/terminate", {
+              sandbox_id
+            });
+            break;
+          default:
+            throw new Error(`Unknown action: ${String(action)}`);
         }
-        const actionPrompts = {
-          caption: "Describe this image concisely and accurately.",
-          analyze: "Analyze this image in detail: describe all visible objects, layout, colors, text, and any notable features.",
-          grounding: `Locate the following elements in the image and return their bounding boxes in [x1,y1,x2,y2] format (0-1000 normalized): ${prompt || "all interactive UI elements"}`,
-          code: "Generate complete, working code to replicate this UI. Use React + TypeScript + Tailwind CSS. Include all components, styling, and mock data visible in the screenshot."
+        return {
+          content: [{ type: "text", text: JSON.stringify(result, null, 2) }],
+          structuredContent: result
         };
-        const visionPrompt = actionPrompts[action] || prompt || actionPrompts.caption;
-        const result = await callGLMVision(model ?? "glm-4.6v", visionPrompt, image);
-        return { content: [{ type: "text", text: result }] };
       } catch (err) {
         const errMsg = err instanceof Error ? err.message : String(err);
-        return { content: [{ type: "text", text: formatError(errMsg) }], isError: true };
+        return {
+          content: [{ type: "text", text: formatError(errMsg) }],
+          isError: true
+        };
       }
     }
   );
@@ -1220,9 +1142,7 @@ function initializeMcpServer(server) {
   registerExaTool(server);
   registerMarketsTool(server);
   registerDexTool(server);
-  if (process.env.ZHIPU_API_KEY) {
-    registerGLMVisionTool(server);
-  }
+  registerModalTool(server);
   server.registerResource(
     "wallet",
     "blockrun://wallet",
@@ -1258,8 +1178,90 @@ function initializeMcpServer(server) {
   );
 }
 
+// src/utils/key-leak-scanner.ts
+import fs2 from "fs";
+import path2 from "path";
+import os2 from "os";
+function looksLikeRawPrivateKey(value) {
+  if (typeof value !== "string") return false;
+  if (/^0x[0-9a-fA-F]{64}$/.test(value)) return true;
+  if (value.length >= 80 && value.length <= 100 && /^[1-9A-HJ-NP-Za-km-z]+$/.test(value)) return true;
+  return false;
+}
+function walk(obj, file, jsonPath, out) {
+  if (obj === null || typeof obj !== "object") return;
+  if (Array.isArray(obj)) {
+    obj.forEach((v, i) => walk(v, file, `${jsonPath}[${i}]`, out));
+    return;
+  }
+  for (const [k, v] of Object.entries(obj)) {
+    const next = jsonPath ? `${jsonPath}.${k}` : k;
+    if (/wallet[-_ ]?key|private[-_ ]?key|secret/i.test(k) && looksLikeRawPrivateKey(v)) {
+      out.push({ file, path: next });
+    } else if (looksLikeRawPrivateKey(v)) {
+      out.push({ file, path: next });
+    }
+    walk(v, file, next, out);
+  }
+}
+function scanFile(file) {
+  try {
+    if (!fs2.existsSync(file)) return [];
+    const raw = fs2.readFileSync(file, "utf-8");
+    const data = JSON.parse(raw);
+    const out = [];
+    walk(data, file, "", out);
+    return out;
+  } catch {
+    return [];
+  }
+}
+function warnOnLeakedKeys() {
+  const home = os2.homedir();
+  const candidates = [
+    path2.join(home, ".claude.json"),
+    path2.join(home, "Library", "Application Support", "Claude", "claude_desktop_config.json"),
+    path2.join(home, ".config", "claude", "claude_desktop_config.json"),
+    path2.join(home, "AppData", "Roaming", "Claude", "claude_desktop_config.json")
+  ];
+  const findings = [];
+  for (const f of candidates) findings.push(...scanFile(f));
+  if (findings.length === 0) return false;
+  const bar = "\u2550".repeat(72);
+  console.error("");
+  console.error(`\x1B[31m${bar}`);
+  console.error("  \u{1F6A8} WALLET PRIVATE KEY DETECTED IN CONFIG FILE");
+  console.error(bar + "\x1B[0m");
+  console.error("");
+  console.error("  Your config contains what looks like a raw wallet private key.");
+  console.error("  Private keys should NEVER be stored in these files \u2014 they get");
+  console.error("  backed up to iCloud / Dropbox / Time Machine, synced across");
+  console.error("  machines, and readable by anything that can read your config.");
+  console.error("");
+  console.error("  Found in:");
+  for (const f of findings) {
+    console.error(`    \xB7 ${f.file}`);
+    console.error(`      at: ${f.path}`);
+  }
+  console.error("");
+  console.error("  RECOMMENDED ACTIONS:");
+  console.error("    1. Treat this key as compromised. Rotate your wallet:");
+  console.error("       - Create a new wallet");
+  console.error("       - Transfer remaining USDC to the new address");
+  console.error("       - Retire the old key");
+  console.error("    2. Remove the X-Wallet-Key entries from your config.");
+  console.error("    3. Reconnect using the local package (signs locally, key");
+  console.error("       never leaves your machine):");
+  console.error("         claude mcp remove blockrun");
+  console.error("         claude mcp add blockrun npx -y @blockrun/mcp@latest");
+  console.error("");
+  console.error("  Details: https://github.com/BlockRunAI/blockrun-mcp-server/issues/1");
+  console.error("");
+  return true;
+}
+
 // src/index.ts
-var VERSION = "0.6.8";
+var VERSION = "0.7.2";
 async function checkForUpdate() {
   try {
     const resp = await fetch("https://registry.npmjs.org/@blockrun/mcp/latest", {
@@ -1274,6 +1276,7 @@ async function checkForUpdate() {
   }
 }
 async function main() {
+  warnOnLeakedKeys();
   const server = new McpServer({
     name: "blockrun-mcp",
     version: VERSION

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blockrun/mcp",
-  "version": "0.7.0",
+  "version": "0.7.2",
   "mcpName": "io.github.BlockRunAI/blockrun-mcp",
   "description": "BlockRun MCP Server - Give your AI agent web search, deep research, prediction markets, crypto data, X/Twitter intelligence. Paid via x402 micropayments.",
   "type": "module",