fix: MCP security trust, built-in @blockrun/mcp, token anchor safety, session recovery (v2.1.0)

Security: project .mcp.json requires trust, write symlink target check
MCP: @blockrun/mcp auto-registered, 5s connect timeout, 30s tool timeout, transport cleanup
Tokens: anchor sanity check on large history growth, LLM parse warning
Session: JSONL per-line recovery, prune protects active session
Tools: truncation at line boundary, imagegen download timeout, compact threshold capped

Author: 1bcMax

CHANGELOG.md

@@ -1,5 +1,28 @@
 # Changelog
 
+## 2.1.0 (2026-04-04)
+
+### Security
+- **MCP project config trust**: `.mcp.json` from project directories now requires explicit trust (`/mcp trust`). Prevents arbitrary code execution from untrusted repos.
+- **Write tool symlink protection**: Now also checks if the target file itself is a symlink to a sensitive location (was only checking parent directory).
+
+### MCP Improvements
+- **@blockrun/mcp built-in**: BlockRun MCP server auto-registered — zero config needed for search, dex, markets, chat tools.
+- **5s connection timeout**: Slow MCP servers don't block startup anymore.
+- **30s tool call timeout**: Hanging MCP tools don't freeze the agent.
+- **Transport leak fix**: Failed connections now properly clean up stdio transport.
+
+### Token Management
+- **Anchor sanity check**: Token anchor invalidated when history grows unexpectedly (e.g., /resume with large session). Falls back to estimation instead of wrong counts.
+- **LLM parse warning**: Malformed tool JSON input now logged in debug mode (was silently defaulting to {}).
+
+### Bug Fixes
+- **Session JSONL recovery**: Corrupted lines now skipped individually instead of failing entire session load.
+- **Session prune safety**: Active session ID protected from pruning.
+- **Tool result truncation**: Now truncates at line boundaries for cleaner previews.
+- **ImageGen download timeout**: 30s timeout on image URL download (was unlimited).
+- **Compact threshold**: Keep boundary now 8-20 messages (was unbounded 30% that could prevent compaction on long sessions).
+
 ## 2.0.0 (2026-04-04)
 
 ### MCP Support (Model Context Protocol)

dist/agent/compact.js

@@ -136,10 +136,11 @@ async function compactHistory(history, model, client, debug) {
  * Keeps the most recent tool exchange + the last few user/assistant turns.
  */
 function findKeepBoundary(history) {
-    // Keep at least the last 6 messages (3 turns), or ~30% of history
-    const minKeep = Math.min(6, history.length);
-    const pctKeep = Math.ceil(history.length * 0.3);
-    let keep = Math.max(minKeep, pctKeep);
+    // Keep the last 8-20 messages (absolute range, not percentage)
+    // Prevents "never compacts" bug when history grows large
+    const minKeep = Math.min(8, history.length);
+    const maxKeep = Math.min(20, history.length - 1);
+    let keep = Math.max(minKeep, Math.min(maxKeep, Math.ceil(history.length * 0.3)));
     // Make sure we don't split in the middle of a tool exchange
     // (assistant with tool_use must be followed by user with tool_result)
     while (keep < history.length) {

dist/agent/llm.js

@@ -129,7 +129,12 @@ export class ModelClient {
                         try {
                             parsedInput = JSON.parse(currentToolInput || '{}');
                         }
-                        catch { /* empty */ }
+                        catch (parseErr) {
+                            // Log malformed JSON instead of silently defaulting to {}
+                            if (this.debug) {
+                                console.error(`[runcode] Malformed tool input JSON for ${currentToolName}: ${parseErr.message}`);
+                            }
+                        }
                         const toolInvocation = {
                             type: 'tool_use',
                             id: currentToolId,

dist/agent/loop.js

@@ -215,7 +215,7 @@ export async function interactiveSession(config, getUserInput, onEvent, onAbortR
     // Session persistence
     const sessionId = createSessionId();
     let turnCount = 0;
-    pruneOldSessions(); // Cleanup old sessions on start
+    pruneOldSessions(sessionId); // Cleanup old sessions on start, protect current
     while (true) {
         let input = await getUserInput();
         if (input === null)

dist/agent/optimize.js

@@ -49,7 +49,12 @@ export function budgetToolResults(history) {
             // Per-tool cap
             if (size > MAX_TOOL_RESULT_CHARS) {
                 modified = true;
-                const preview = content.slice(0, PREVIEW_CHARS);
+                // Truncate at line boundary for cleaner output
+                let preview = content.slice(0, PREVIEW_CHARS);
+                const lastNewline = preview.lastIndexOf('\n');
+                if (lastNewline > PREVIEW_CHARS * 0.5) {
+                    preview = preview.slice(0, lastNewline);
+                }
                 budgeted.push({
                     type: 'tool_result',
                     tool_use_id: part.tool_use_id,

dist/agent/tokens.js

@@ -23,19 +23,26 @@ export function updateActualTokens(inputTokens, outputTokens, messageCount) {
  * More accurate than pure estimation because it's grounded in actual API counts.
  */
 export function getAnchoredTokenCount(history) {
-    if (lastApiInputTokens > 0 && history.length >= lastApiMessageCount) {
-        // Anchor to API count, estimate only new messages
-        const newMessages = history.slice(lastApiMessageCount);
-        let newTokens = 0;
-        for (const msg of newMessages) {
-            newTokens += estimateDialogueTokens(msg);
+    if (lastApiInputTokens > 0 && lastApiMessageCount > 0 && history.length >= lastApiMessageCount) {
+        // Sanity check: if history was mutated (compaction, micro-compact), anchor may be stale.
+        // Detect by checking if new messages were only appended (length grew), not if content changed.
+        // If history grew by more than expected (e.g., resume injected many messages), fall through to estimation.
+        const growth = history.length - lastApiMessageCount;
+        if (growth <= 20) { // Reasonable growth since last API call
+            const newMessages = history.slice(lastApiMessageCount);
+            let newTokens = 0;
+            for (const msg of newMessages) {
+                newTokens += estimateDialogueTokens(msg);
+            }
+            const total = lastApiInputTokens + newTokens;
+            return {
+                estimated: total,
+                apiAnchored: true,
+                contextUsagePct: 0,
+            };
         }
-        const total = lastApiInputTokens + newTokens;
-        return {
-            estimated: total,
-            apiAnchored: true,
-            contextUsagePct: 0, // Will be calculated by caller with model context window
-        };
+        // Too much growth — anchor is unreliable, fall through to estimation
+        resetTokenAnchor();
     }
     // No anchor — pure estimation
     return {

dist/mcp/client.d.ts

@@ -27,6 +27,7 @@ export interface McpConfig {
 }
 /**
  * Connect to all configured MCP servers and return discovered tools.
+ * Each connection has a 5s timeout to avoid blocking startup.
  */
 export declare function connectMcpServers(config: McpConfig, debug?: boolean): Promise<CapabilityHandler[]>;
 /**

dist/mcp/client.js

@@ -21,7 +21,17 @@ async function connectStdio(name, config) {
         env: { ...process.env, ...(config.env || {}) },
     });
     const client = new Client({ name: `runcode-mcp-${name}`, version: '1.0.0' }, { capabilities: {} });
-    await client.connect(transport);
+    try {
+        await client.connect(transport);
+    }
+    catch (err) {
+        // Clean up transport if connect fails to prevent resource leak
+        try {
+            await transport.close();
+        }
+        catch { /* ignore */ }
+        throw err;
+    }
     // Discover tools
     const { tools: mcpTools } = await client.listTools();
     const capabilities = [];
@@ -38,11 +48,12 @@ async function connectStdio(name, config) {
                 },
             },
             execute: async (input, _ctx) => {
+                const MCP_TOOL_TIMEOUT = 30_000;
                 try {
-                    const result = await client.callTool({
-                        name: tool.name,
-                        arguments: input,
-                    });
+                    // Timeout protection: if tool hangs, don't block the agent forever
+                    const callPromise = client.callTool({ name: tool.name, arguments: input });
+                    const timeoutPromise = new Promise((_, reject) => setTimeout(() => reject(new Error(`MCP tool timeout after ${MCP_TOOL_TIMEOUT / 1000}s`)), MCP_TOOL_TIMEOUT));
+                    const result = await Promise.race([callPromise, timeoutPromise]);
                     // Extract text content from MCP response
                     const output = result.content
                         ?.filter(c => c.type === 'text')
@@ -70,6 +81,11 @@ async function connectStdio(name, config) {
 /**
  * Connect to all configured MCP servers and return discovered tools.
  */
+const MCP_CONNECT_TIMEOUT = 5_000; // 5s per server connection
+/**
+ * Connect to all configured MCP servers and return discovered tools.
+ * Each connection has a 5s timeout to avoid blocking startup.
+ */
 export async function connectMcpServers(config, debug) {
     const allTools = [];
     for (const [name, serverConfig] of Object.entries(config.mcpServers)) {
@@ -79,17 +95,16 @@ export async function connectMcpServers(config, debug) {
             if (debug) {
                 console.error(`[runcode] Connecting to MCP server: ${name}...`);
             }
-            let connected;
-            if (serverConfig.transport === 'stdio') {
-                connected = await connectStdio(name, serverConfig);
-            }
-            else {
-                // HTTP transport — TODO: implement SSE/HTTP transport
+            if (serverConfig.transport !== 'stdio') {
                 if (debug) {
                     console.error(`[runcode] MCP HTTP transport not yet supported for ${name}`);
                 }
                 continue;
             }
+            // Timeout: don't let a slow server block startup
+            const connectPromise = connectStdio(name, serverConfig);
+            const timeoutPromise = new Promise((_, reject) => setTimeout(() => reject(new Error('connection timeout (5s)')), MCP_CONNECT_TIMEOUT));
+            const connected = await Promise.race([connectPromise, timeoutPromise]);
             allTools.push(...connected.tools);
             if (debug) {
                 console.error(`[runcode] MCP ${name}: ${connected.tools.length} tools discovered`);

dist/mcp/config.d.ts

@@ -5,10 +5,6 @@
  * 2. Project: .mcp.json in working directory
  */
 import type { McpConfig, McpServerConfig } from './client.js';
-/**
- * Load MCP server configurations from global + project files.
- * Project config overrides global for same server name.
- */
 export declare function loadMcpConfig(workDir: string): McpConfig;
 /**
  * Save a server config to the global MCP config.
@@ -18,3 +14,7 @@ export declare function saveMcpServer(name: string, config: McpServerConfig): vo
  * Remove a server from the global MCP config.
  */
 export declare function removeMcpServer(name: string): boolean;
+/**
+ * Trust a project directory to load its .mcp.json.
+ */
+export declare function trustProjectDir(workDir: string): void;

dist/mcp/config.js

@@ -12,8 +12,18 @@ const GLOBAL_MCP_FILE = path.join(BLOCKRUN_DIR, 'mcp.json');
  * Load MCP server configurations from global + project files.
  * Project config overrides global for same server name.
  */
+// Built-in MCP server: @blockrun/mcp is always available (zero config)
+const BUILTIN_MCP_SERVERS = {
+    blockrun: {
+        transport: 'stdio',
+        command: 'npx',
+        args: ['-y', '@blockrun/mcp'],
+        label: 'BlockRun (built-in)',
+    },
+};
 export function loadMcpConfig(workDir) {
-    const servers = {};
+    // Start with built-in servers
+    const servers = { ...BUILTIN_MCP_SERVERS };
     // 1. Global config
     try {
         if (fs.existsSync(GLOBAL_MCP_FILE)) {
@@ -27,14 +37,28 @@ export function loadMcpConfig(workDir) {
         // Ignore corrupt global config
     }
     // 2. Project config (.mcp.json in working directory)
+    // Security: project configs can execute arbitrary commands via stdio transport.
+    // Only load if a trust marker exists (user has explicitly opted in).
     const projectMcpFile = path.join(workDir, '.mcp.json');
+    const trustMarker = path.join(BLOCKRUN_DIR, 'trusted-projects.json');
     try {
         if (fs.existsSync(projectMcpFile)) {
-            const raw = JSON.parse(fs.readFileSync(projectMcpFile, 'utf-8'));
-            if (raw.mcpServers && typeof raw.mcpServers === 'object') {
-                // Project overrides global for same name
-                Object.assign(servers, raw.mcpServers);
+            // Check if this project directory is trusted
+            let trusted = false;
+            try {
+                if (fs.existsSync(trustMarker)) {
+                    const trustedDirs = JSON.parse(fs.readFileSync(trustMarker, 'utf-8'));
+                    trusted = Array.isArray(trustedDirs) && trustedDirs.includes(workDir);
+                }
+            }
+            catch { /* not trusted */ }
+            if (trusted) {
+                const raw = JSON.parse(fs.readFileSync(projectMcpFile, 'utf-8'));
+                if (raw.mcpServers && typeof raw.mcpServers === 'object') {
+                    Object.assign(servers, raw.mcpServers);
+                }
             }
+            // If not trusted, silently skip project config (user must run /mcp trust)
         }
     }
     catch {
@@ -62,6 +86,24 @@ export function removeMcpServer(name) {
     fs.writeFileSync(GLOBAL_MCP_FILE, JSON.stringify(existing, null, 2) + '\n');
     return true;
 }
+/**
+ * Trust a project directory to load its .mcp.json.
+ */
+export function trustProjectDir(workDir) {
+    const trustMarker = path.join(BLOCKRUN_DIR, 'trusted-projects.json');
+    let trusted = [];
+    try {
+        if (fs.existsSync(trustMarker)) {
+            trusted = JSON.parse(fs.readFileSync(trustMarker, 'utf-8'));
+        }
+    }
+    catch { /* fresh */ }
+    if (!trusted.includes(workDir)) {
+        trusted.push(workDir);
+        fs.mkdirSync(BLOCKRUN_DIR, { recursive: true });
+        fs.writeFileSync(trustMarker, JSON.stringify(trusted, null, 2));
+    }
+}
 function loadGlobalMcpConfig() {
     try {
         if (fs.existsSync(GLOBAL_MCP_FILE)) {