npm - @blockrun/runcode - Versions diffs - 1.8.0 → 2.1.0 - Mend

@blockrun/runcode 1.8.0 → 2.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (16) hide show

package/dist/agent/compact.js CHANGED Viewed

@@ -136,10 +136,11 @@ async function compactHistory(history, model, client, debug) {
  * Keeps the most recent tool exchange + the last few user/assistant turns.
  */
 function findKeepBoundary(history) {
-    // Keep at least the last 6 messages (3 turns), or ~30% of history
-    const minKeep = Math.min(6, history.length);
-    const pctKeep = Math.ceil(history.length * 0.3);
-    let keep = Math.max(minKeep, pctKeep);
+    // Keep the last 8-20 messages (absolute range, not percentage)
+    // Prevents "never compacts" bug when history grows large
+    const minKeep = Math.min(8, history.length);
+    const maxKeep = Math.min(20, history.length - 1);
+    let keep = Math.max(minKeep, Math.min(maxKeep, Math.ceil(history.length * 0.3)));
     // Make sure we don't split in the middle of a tool exchange
     // (assistant with tool_use must be followed by user with tool_result)
     while (keep < history.length) {

package/dist/agent/llm.js CHANGED Viewed

@@ -129,7 +129,12 @@ export class ModelClient {
                         try {
                             parsedInput = JSON.parse(currentToolInput || '{}');
                         }
-                        catch { /* empty */ }
+                        catch (parseErr) {
+                            // Log malformed JSON instead of silently defaulting to {}
+                            if (this.debug) {
+                                console.error(`[runcode] Malformed tool input JSON for ${currentToolName}: ${parseErr.message}`);
+                            }
+                        }
                         const toolInvocation = {
                             type: 'tool_use',
                             id: currentToolId,

package/dist/agent/loop.js CHANGED Viewed

@@ -5,7 +5,7 @@
  */
 import { ModelClient } from './llm.js';
 import { autoCompactIfNeeded, forceCompact, microCompact } from './compact.js';
-import { estimateHistoryTokens } from './tokens.js';
+import { estimateHistoryTokens, updateActualTokens, resetTokenAnchor } from './tokens.js';
 import { PermissionManager } from './permissions.js';
 import { StreamingExecutor } from './streaming-executor.js';
 import { optimizeHistory, CAPPED_MAX_TOKENS, ESCALATED_MAX_TOKENS } from './optimize.js';
@@ -215,7 +215,7 @@ export async function interactiveSession(config, getUserInput, onEvent, onAbortR
     // Session persistence
     const sessionId = createSessionId();
     let turnCount = 0;
-    pruneOldSessions(); // Cleanup old sessions on start
+    pruneOldSessions(sessionId); // Cleanup old sessions on start, protect current
     while (true) {
         let input = await getUserInput();
         if (input === null)
@@ -287,6 +287,26 @@ export async function interactiveSession(config, getUserInput, onEvent, onAbortR
             onEvent({ kind: 'turn_done', reason: 'completed' });
             continue;
         }
+        // Handle /mcp — show connected MCP servers
+        if (input === '/mcp') {
+            const { listMcpServers } = await import('../mcp/client.js');
+            const servers = listMcpServers();
+            if (servers.length === 0) {
+                onEvent({ kind: 'text_delta', text: 'No MCP servers connected.\nAdd servers to `~/.blockrun/mcp.json` or `.mcp.json` in your project.\n' });
+            }
+            else {
+                let text = `**${servers.length} MCP server(s) connected:**\n\n`;
+                for (const s of servers) {
+                    text += `  **${s.name}** — ${s.toolCount} tools\n`;
+                    for (const t of s.tools) {
+                        text += `    · ${t}\n`;
+                    }
+                }
+                onEvent({ kind: 'text_delta', text });
+            }
+            onEvent({ kind: 'turn_done', reason: 'completed' });
+            continue;
+        }
         // Handle /bug — open issue tracker
         if (input === '/bug') {
             onEvent({ kind: 'text_delta', text: 'Report issues at: https://github.com/BlockRunAI/runcode/issues\n' });
@@ -480,7 +500,10 @@ export async function interactiveSession(config, getUserInput, onEvent, onAbortR
         }
         // Handle /context — show current session context info
         if (input === '/context') {
-            const tokens = estimateHistoryTokens(history);
+            const { getAnchoredTokenCount, getContextWindow } = await import('./tokens.js');
+            const { estimated, apiAnchored } = getAnchoredTokenCount(history);
+            const contextWindow = getContextWindow(config.model);
+            const usagePct = ((estimated / contextWindow) * 100).toFixed(1);
             const msgs = history.length;
             const model = config.model;
             const dir = config.workingDir || process.cwd();
@@ -489,7 +512,7 @@ export async function interactiveSession(config, getUserInput, onEvent, onAbortR
                     `  Model:      ${model}\n` +
                     `  Mode:       ${mode}\n` +
                     `  Messages:   ${msgs}\n` +
-                    `  Tokens:     ~${tokens.toLocaleString()}\n` +
+                    `  Tokens:     ~${estimated.toLocaleString()} / ${(contextWindow / 1000).toFixed(0)}k (${usagePct}%)${apiAnchored ? ' ✓' : ' ~'}\n` +
                     `  Session:    ${sessionId}\n` +
                     `  Directory:  ${dir}\n`
             });
@@ -605,6 +628,7 @@ export async function interactiveSession(config, getUserInput, onEvent, onAbortR
             if (didCompact) {
                 history.length = 0;
                 history.push(...compacted);
+                resetTokenAnchor(); // Reset anchor after compaction — estimates will be used
                 if (config.debug) {
                     console.error(`[runcode] History compacted: ~${estimateHistoryTokens(history)} tokens`);
                 }
@@ -696,6 +720,8 @@ export async function interactiveSession(config, getUserInput, onEvent, onAbortR
                 onEvent({ kind: 'turn_done', reason: 'error', error: errMsg + suggestion });
                 break;
             }
+            // Anchor token tracking to actual API counts
+            updateActualTokens(usage.inputTokens, usage.outputTokens, history.length);
             onEvent({
                 kind: 'usage',
                 inputTokens: usage.inputTokens,

package/dist/agent/optimize.js CHANGED Viewed

@@ -49,7 +49,12 @@ export function budgetToolResults(history) {
             // Per-tool cap
             if (size > MAX_TOOL_RESULT_CHARS) {
                 modified = true;
-                const preview = content.slice(0, PREVIEW_CHARS);
+                // Truncate at line boundary for cleaner output
+                let preview = content.slice(0, PREVIEW_CHARS);
+                const lastNewline = preview.lastIndexOf('\n');
+                if (lastNewline > PREVIEW_CHARS * 0.5) {
+                    preview = preview.slice(0, lastNewline);
+                }
                 budgeted.push({
                     type: 'tool_result',
                     tool_use_id: part.tool_use_id,

package/dist/agent/tokens.d.ts CHANGED Viewed

@@ -1,8 +1,27 @@
 /**
  * Token estimation for runcode.
  * Uses byte-based heuristic (no external tokenizer dependency).
+ * Anchors to actual API counts when available, estimates on top for new messages.
  */
 import type { Dialogue } from './types.js';
+/**
+ * Update with actual token counts from API response.
+ * This anchors our estimates to reality.
+ */
+export declare function updateActualTokens(inputTokens: number, outputTokens: number, messageCount: number): void;
+/**
+ * Get token count using API anchor + estimation for new messages.
+ * More accurate than pure estimation because it's grounded in actual API counts.
+ */
+export declare function getAnchoredTokenCount(history: Dialogue[]): {
+    estimated: number;
+    apiAnchored: boolean;
+    contextUsagePct: number;
+};
+/**
+ * Reset anchor (e.g., after compaction).
+ */
+export declare function resetTokenAnchor(): void;
 /**
  * Estimate token count for a string using byte-length heuristic.
  * JSON-heavy content uses 2 bytes/token; general text uses 4.

package/dist/agent/tokens.js CHANGED Viewed

@@ -1,8 +1,64 @@
 /**
  * Token estimation for runcode.
  * Uses byte-based heuristic (no external tokenizer dependency).
+ * Anchors to actual API counts when available, estimates on top for new messages.
  */
 const DEFAULT_BYTES_PER_TOKEN = 4;
+// ─── API-anchored token tracking ───────────────────────���──────────────────
+/** Last known actual token count from API response */
+let lastApiInputTokens = 0;
+let lastApiOutputTokens = 0;
+let lastApiMessageCount = 0;
+/**
+ * Update with actual token counts from API response.
+ * This anchors our estimates to reality.
+ */
+export function updateActualTokens(inputTokens, outputTokens, messageCount) {
+    lastApiInputTokens = inputTokens;
+    lastApiOutputTokens = outputTokens;
+    lastApiMessageCount = messageCount;
+}
+/**
+ * Get token count using API anchor + estimation for new messages.
+ * More accurate than pure estimation because it's grounded in actual API counts.
+ */
+export function getAnchoredTokenCount(history) {
+    if (lastApiInputTokens > 0 && lastApiMessageCount > 0 && history.length >= lastApiMessageCount) {
+        // Sanity check: if history was mutated (compaction, micro-compact), anchor may be stale.
+        // Detect by checking if new messages were only appended (length grew), not if content changed.
+        // If history grew by more than expected (e.g., resume injected many messages), fall through to estimation.
+        const growth = history.length - lastApiMessageCount;
+        if (growth <= 20) { // Reasonable growth since last API call
+            const newMessages = history.slice(lastApiMessageCount);
+            let newTokens = 0;
+            for (const msg of newMessages) {
+                newTokens += estimateDialogueTokens(msg);
+            }
+            const total = lastApiInputTokens + newTokens;
+            return {
+                estimated: total,
+                apiAnchored: true,
+                contextUsagePct: 0,
+            };
+        }
+        // Too much growth — anchor is unreliable, fall through to estimation
+        resetTokenAnchor();
+    }
+    // No anchor — pure estimation
+    return {
+        estimated: estimateHistoryTokens(history),
+        apiAnchored: false,
+        contextUsagePct: 0,
+    };
+}
+/**
+ * Reset anchor (e.g., after compaction).
+ */
+export function resetTokenAnchor() {
+    lastApiInputTokens = 0;
+    lastApiOutputTokens = 0;
+    lastApiMessageCount = 0;
+}
 /**
  * Estimate token count for a string using byte-length heuristic.
  * JSON-heavy content uses 2 bytes/token; general text uses 4.

package/dist/commands/start.js CHANGED Viewed

@@ -9,6 +9,8 @@ import { interactiveSession } from '../agent/loop.js';
 import { allCapabilities, createSubAgentCapability } from '../tools/index.js';
 import { launchInkUI } from '../ui/app.js';
 import { pickModel, resolveModel } from '../ui/model-picker.js';
+import { loadMcpConfig } from '../mcp/config.js';
+import { connectMcpServers, disconnectMcpServers } from '../mcp/client.js';
 export async function startCommand(options) {
     const version = options.version ?? '1.0.0';
     const chain = loadChain();
@@ -92,9 +94,26 @@ export async function startCommand(options) {
     })();
     // Assemble system instructions
     const systemInstructions = assembleInstructions(workDir);
-    // Build capabilities
+    // Connect MCP servers (non-blocking — add tools if servers are available)
+    const mcpConfig = loadMcpConfig(workDir);
+    let mcpTools = [];
+    const mcpServerCount = Object.keys(mcpConfig.mcpServers).filter(k => !mcpConfig.mcpServers[k].disabled).length;
+    if (mcpServerCount > 0) {
+        try {
+            mcpTools = await connectMcpServers(mcpConfig, options.debug);
+            if (mcpTools.length > 0) {
+                console.log(chalk.dim(`  MCP:    ${mcpTools.length} tools from ${mcpServerCount} server(s)`));
+            }
+        }
+        catch (err) {
+            if (options.debug) {
+                console.error(chalk.yellow(`  MCP error: ${err.message}`));
+            }
+        }
+    }
+    // Build capabilities (built-in + MCP + sub-agent)
     const subAgent = createSubAgentCapability(apiUrl, chain, allCapabilities);
-    const capabilities = [...allCapabilities, subAgent];
+    const capabilities = [...allCapabilities, ...mcpTools, subAgent];
     // Agent config
     const agentConfig = {
         model,
@@ -149,6 +168,7 @@ async function runWithInkUI(agentConfig, model, workDir, version, walletInfo, on
     }
     ui.cleanup();
     flushStats();
+    await disconnectMcpServers();
     console.log(chalk.dim('\nGoodbye.\n'));
     process.exit(0);
 }

package/dist/mcp/client.d.ts ADDED Viewed

@@ -0,0 +1,44 @@
+/**
+ * MCP Client for runcode.
+ * Connects to MCP servers, discovers tools, and wraps them as CapabilityHandlers.
+ * Supports stdio and HTTP (SSE) transports.
+ */
+import type { CapabilityHandler } from '../agent/types.js';
+export interface McpServerConfig {
+    /** Transport type */
+    transport: 'stdio' | 'http';
+    /** For stdio: command to run */
+    command?: string;
+    /** For stdio: arguments */
+    args?: string[];
+    /** For stdio: environment variables */
+    env?: Record<string, string>;
+    /** For http: server URL */
+    url?: string;
+    /** For http: headers */
+    headers?: Record<string, string>;
+    /** Human-readable label */
+    label?: string;
+    /** Disable this server */
+    disabled?: boolean;
+}
+export interface McpConfig {
+    mcpServers: Record<string, McpServerConfig>;
+}
+/**
+ * Connect to all configured MCP servers and return discovered tools.
+ * Each connection has a 5s timeout to avoid blocking startup.
+ */
+export declare function connectMcpServers(config: McpConfig, debug?: boolean): Promise<CapabilityHandler[]>;
+/**
+ * Disconnect all MCP servers.
+ */
+export declare function disconnectMcpServers(): Promise<void>;
+/**
+ * List connected MCP servers and their tools.
+ */
+export declare function listMcpServers(): Array<{
+    name: string;
+    toolCount: number;
+    tools: string[];
+}>;

package/dist/mcp/client.js ADDED Viewed

@@ -0,0 +1,147 @@
+/**
+ * MCP Client for runcode.
+ * Connects to MCP servers, discovers tools, and wraps them as CapabilityHandlers.
+ * Supports stdio and HTTP (SSE) transports.
+ */
+import { Client } from '@modelcontextprotocol/sdk/client/index.js';
+import { StdioClientTransport } from '@modelcontextprotocol/sdk/client/stdio.js';
+// ─── Connection Management ────────────────────────────────────────────────
+const connections = new Map();
+/**
+ * Connect to an MCP server via stdio transport.
+ * Discovers tools and returns them as CapabilityHandlers.
+ */
+async function connectStdio(name, config) {
+    if (!config.command) {
+        throw new Error(`MCP server "${name}" missing command`);
+    }
+    const transport = new StdioClientTransport({
+        command: config.command,
+        args: config.args || [],
+        env: { ...process.env, ...(config.env || {}) },
+    });
+    const client = new Client({ name: `runcode-mcp-${name}`, version: '1.0.0' }, { capabilities: {} });
+    try {
+        await client.connect(transport);
+    }
+    catch (err) {
+        // Clean up transport if connect fails to prevent resource leak
+        try {
+            await transport.close();
+        }
+        catch { /* ignore */ }
+        throw err;
+    }
+    // Discover tools
+    const { tools: mcpTools } = await client.listTools();
+    const capabilities = [];
+    for (const tool of mcpTools) {
+        const toolName = `mcp__${name}__${tool.name}`;
+        const toolDescription = (tool.description || '').slice(0, 2048);
+        capabilities.push({
+            spec: {
+                name: toolName,
+                description: toolDescription || `MCP tool from ${name}`,
+                input_schema: tool.inputSchema || {
+                    type: 'object',
+                    properties: {},
+                },
+            },
+            execute: async (input, _ctx) => {
+                const MCP_TOOL_TIMEOUT = 30_000;
+                try {
+                    // Timeout protection: if tool hangs, don't block the agent forever
+                    const callPromise = client.callTool({ name: tool.name, arguments: input });
+                    const timeoutPromise = new Promise((_, reject) => setTimeout(() => reject(new Error(`MCP tool timeout after ${MCP_TOOL_TIMEOUT / 1000}s`)), MCP_TOOL_TIMEOUT));
+                    const result = await Promise.race([callPromise, timeoutPromise]);
+                    // Extract text content from MCP response
+                    const output = result.content
+                        ?.filter(c => c.type === 'text')
+                        ?.map(c => c.text)
+                        ?.join('\n') || JSON.stringify(result.content);
+                    return {
+                        output,
+                        isError: result.isError === true,
+                    };
+                }
+                catch (err) {
+                    return {
+                        output: `MCP tool error (${name}/${tool.name}): ${err.message}`,
+                        isError: true,
+                    };
+                }
+            },
+            concurrent: true, // MCP tools are safe to run concurrently
+        });
+    }
+    const connected = { name, client, transport, tools: capabilities };
+    connections.set(name, connected);
+    return connected;
+}
+/**
+ * Connect to all configured MCP servers and return discovered tools.
+ */
+const MCP_CONNECT_TIMEOUT = 5_000; // 5s per server connection
+/**
+ * Connect to all configured MCP servers and return discovered tools.
+ * Each connection has a 5s timeout to avoid blocking startup.
+ */
+export async function connectMcpServers(config, debug) {
+    const allTools = [];
+    for (const [name, serverConfig] of Object.entries(config.mcpServers)) {
+        if (serverConfig.disabled)
+            continue;
+        try {
+            if (debug) {
+                console.error(`[runcode] Connecting to MCP server: ${name}...`);
+            }
+            if (serverConfig.transport !== 'stdio') {
+                if (debug) {
+                    console.error(`[runcode] MCP HTTP transport not yet supported for ${name}`);
+                }
+                continue;
+            }
+            // Timeout: don't let a slow server block startup
+            const connectPromise = connectStdio(name, serverConfig);
+            const timeoutPromise = new Promise((_, reject) => setTimeout(() => reject(new Error('connection timeout (5s)')), MCP_CONNECT_TIMEOUT));
+            const connected = await Promise.race([connectPromise, timeoutPromise]);
+            allTools.push(...connected.tools);
+            if (debug) {
+                console.error(`[runcode] MCP ${name}: ${connected.tools.length} tools discovered`);
+            }
+        }
+        catch (err) {
+            // Graceful degradation — log and continue without this server
+            console.error(`[runcode] MCP ${name} failed: ${err.message}`);
+        }
+    }
+    return allTools;
+}
+/**
+ * Disconnect all MCP servers.
+ */
+export async function disconnectMcpServers() {
+    for (const [name, conn] of connections) {
+        try {
+            await conn.client.close();
+        }
+        catch {
+            // Ignore cleanup errors
+        }
+        connections.delete(name);
+    }
+}
+/**
+ * List connected MCP servers and their tools.
+ */
+export function listMcpServers() {
+    const result = [];
+    for (const [name, conn] of connections) {
+        result.push({
+            name,
+            toolCount: conn.tools.length,
+            tools: conn.tools.map(t => t.spec.name),
+        });
+    }
+    return result;
+}

package/dist/mcp/config.d.ts ADDED Viewed

@@ -0,0 +1,20 @@
+/**
+ * MCP configuration management for runcode.
+ * Loads MCP server configs from:
+ * 1. Global: ~/.blockrun/mcp.json
+ * 2. Project: .mcp.json in working directory
+ */
+import type { McpConfig, McpServerConfig } from './client.js';
+export declare function loadMcpConfig(workDir: string): McpConfig;
+/**
+ * Save a server config to the global MCP config.
+ */
+export declare function saveMcpServer(name: string, config: McpServerConfig): void;
+/**
+ * Remove a server from the global MCP config.
+ */
+export declare function removeMcpServer(name: string): boolean;
+/**
+ * Trust a project directory to load its .mcp.json.
+ */
+export declare function trustProjectDir(workDir: string): void;

package/dist/mcp/config.js ADDED Viewed

@@ -0,0 +1,116 @@
+/**
+ * MCP configuration management for runcode.
+ * Loads MCP server configs from:
+ * 1. Global: ~/.blockrun/mcp.json
+ * 2. Project: .mcp.json in working directory
+ */
+import fs from 'node:fs';
+import path from 'node:path';
+import { BLOCKRUN_DIR } from '../config.js';
+const GLOBAL_MCP_FILE = path.join(BLOCKRUN_DIR, 'mcp.json');
+/**
+ * Load MCP server configurations from global + project files.
+ * Project config overrides global for same server name.
+ */
+// Built-in MCP server: @blockrun/mcp is always available (zero config)
+const BUILTIN_MCP_SERVERS = {
+    blockrun: {
+        transport: 'stdio',
+        command: 'npx',
+        args: ['-y', '@blockrun/mcp'],
+        label: 'BlockRun (built-in)',
+    },
+};
+export function loadMcpConfig(workDir) {
+    // Start with built-in servers
+    const servers = { ...BUILTIN_MCP_SERVERS };
+    // 1. Global config
+    try {
+        if (fs.existsSync(GLOBAL_MCP_FILE)) {
+            const raw = JSON.parse(fs.readFileSync(GLOBAL_MCP_FILE, 'utf-8'));
+            if (raw.mcpServers && typeof raw.mcpServers === 'object') {
+                Object.assign(servers, raw.mcpServers);
+            }
+        }
+    }
+    catch {
+        // Ignore corrupt global config
+    }
+    // 2. Project config (.mcp.json in working directory)
+    // Security: project configs can execute arbitrary commands via stdio transport.
+    // Only load if a trust marker exists (user has explicitly opted in).
+    const projectMcpFile = path.join(workDir, '.mcp.json');
+    const trustMarker = path.join(BLOCKRUN_DIR, 'trusted-projects.json');
+    try {
+        if (fs.existsSync(projectMcpFile)) {
+            // Check if this project directory is trusted
+            let trusted = false;
+            try {
+                if (fs.existsSync(trustMarker)) {
+                    const trustedDirs = JSON.parse(fs.readFileSync(trustMarker, 'utf-8'));
+                    trusted = Array.isArray(trustedDirs) && trustedDirs.includes(workDir);
+                }
+            }
+            catch { /* not trusted */ }
+            if (trusted) {
+                const raw = JSON.parse(fs.readFileSync(projectMcpFile, 'utf-8'));
+                if (raw.mcpServers && typeof raw.mcpServers === 'object') {
+                    Object.assign(servers, raw.mcpServers);
+                }
+            }
+            // If not trusted, silently skip project config (user must run /mcp trust)
+        }
+    }
+    catch {
+        // Ignore corrupt project config
+    }
+    return { mcpServers: servers };
+}
+/**
+ * Save a server config to the global MCP config.
+ */
+export function saveMcpServer(name, config) {
+    const existing = loadGlobalMcpConfig();
+    existing.mcpServers[name] = config;
+    fs.mkdirSync(BLOCKRUN_DIR, { recursive: true });
+    fs.writeFileSync(GLOBAL_MCP_FILE, JSON.stringify(existing, null, 2) + '\n');
+}
+/**
+ * Remove a server from the global MCP config.
+ */
+export function removeMcpServer(name) {
+    const existing = loadGlobalMcpConfig();
+    if (!(name in existing.mcpServers))
+        return false;
+    delete existing.mcpServers[name];
+    fs.writeFileSync(GLOBAL_MCP_FILE, JSON.stringify(existing, null, 2) + '\n');
+    return true;
+}
+/**
+ * Trust a project directory to load its .mcp.json.
+ */
+export function trustProjectDir(workDir) {
+    const trustMarker = path.join(BLOCKRUN_DIR, 'trusted-projects.json');
+    let trusted = [];
+    try {
+        if (fs.existsSync(trustMarker)) {
+            trusted = JSON.parse(fs.readFileSync(trustMarker, 'utf-8'));
+        }
+    }
+    catch { /* fresh */ }
+    if (!trusted.includes(workDir)) {
+        trusted.push(workDir);
+        fs.mkdirSync(BLOCKRUN_DIR, { recursive: true });
+        fs.writeFileSync(trustMarker, JSON.stringify(trusted, null, 2));
+    }
+}
+function loadGlobalMcpConfig() {
+    try {
+        if (fs.existsSync(GLOBAL_MCP_FILE)) {
+            const raw = JSON.parse(fs.readFileSync(GLOBAL_MCP_FILE, 'utf-8'));
+            return { mcpServers: raw.mcpServers || {} };
+        }
+    }
+    catch { /* fresh */ }
+    return { mcpServers: {} };
+}

package/dist/session/storage.d.ts CHANGED Viewed

@@ -39,4 +39,8 @@ export declare function listSessions(): SessionMeta[];
 /**
  * Prune old sessions beyond MAX_SESSIONS.
  */
-export declare function pruneOldSessions(): void;
+/**
+ * Prune old sessions beyond MAX_SESSIONS.
+ * Accepts optional activeSessionId to protect from deletion.
+ */
+export declare function pruneOldSessions(activeSessionId?: string): void;

package/dist/session/storage.js CHANGED Viewed

@@ -67,7 +67,17 @@ export function loadSessionHistory(sessionId) {
     try {
         const content = fs.readFileSync(sessionPath(sessionId), 'utf-8');
         const lines = content.trim().split('\n').filter(Boolean);
-        return lines.map(line => JSON.parse(line));
+        const results = [];
+        for (const line of lines) {
+            try {
+                results.push(JSON.parse(line));
+            }
+            catch {
+                // Skip corrupted lines — partial writes from crashes
+                continue;
+            }
+        }
+        return results;
     }
     catch {
         return [];
@@ -98,11 +108,17 @@ export function listSessions() {
 /**
  * Prune old sessions beyond MAX_SESSIONS.
  */
-export function pruneOldSessions() {
+/**
+ * Prune old sessions beyond MAX_SESSIONS.
+ * Accepts optional activeSessionId to protect from deletion.
+ */
+export function pruneOldSessions(activeSessionId) {
     const sessions = listSessions();
     if (sessions.length <= MAX_SESSIONS)
         return;
-    const toDelete = sessions.slice(MAX_SESSIONS);
+    const toDelete = sessions
+        .slice(MAX_SESSIONS)
+        .filter(s => s.id !== activeSessionId); // Never delete active session
     for (const s of toDelete) {
         try {
             fs.unlinkSync(sessionPath(s.id));

package/dist/tools/imagegen.js CHANGED Viewed

@@ -70,8 +70,11 @@ async function execute(input, ctx) {
             fs.writeFileSync(outPath, buffer);
         }
         else if (imageData.url) {
-            // Download from URL
-            const imgResp = await fetch(imageData.url);
+            // Download from URL (with 30s timeout)
+            const dlCtrl = new AbortController();
+            const dlTimeout = setTimeout(() => dlCtrl.abort(), 30_000);
+            const imgResp = await fetch(imageData.url, { signal: dlCtrl.signal });
+            clearTimeout(dlTimeout);
             const buffer = Buffer.from(await imgResp.arrayBuffer());
             fs.mkdirSync(path.dirname(outPath), { recursive: true });
             fs.writeFileSync(outPath, buffer);

package/dist/tools/write.js CHANGED Viewed

@@ -40,6 +40,16 @@ async function execute(input, ctx) {
         }
     }
     catch { /* parent doesn't exist yet, will be created */ }
+    // Also check if target file itself is a symlink to a sensitive location
+    try {
+        if (fs.existsSync(resolved) && fs.lstatSync(resolved).isSymbolicLink()) {
+            const realTarget = fs.realpathSync(resolved);
+            if (checkPath(realTarget)) {
+                return { output: `Error: refusing to write — symlink resolves to sensitive location: ${realTarget}`, isError: true };
+            }
+        }
+    }
+    catch { /* file doesn't exist yet, ok */ }
     try {
         // Ensure parent directory exists
         const parentDir = path.dirname(resolved);

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@blockrun/runcode",
-  "version": "1.8.0",
+  "version": "2.1.0",
   "description": "RunCode — AI coding agent powered by 41+ models. Pay per use with USDC.",
   "type": "module",
   "bin": {
@@ -43,6 +43,7 @@
   },
   "dependencies": {
     "@blockrun/llm": "^1.4.2",
+    "@modelcontextprotocol/sdk": "^1.29.0",
     "@solana/spl-token": "^0.4.14",
     "@solana/web3.js": "^1.98.4",
     "@types/react": "^19.2.14",