Reject non-finite x-credits-remaining values in CreditSink

akolotov · claude · akolotov · commit 396363b437e6 · 2026-06-05T22:25:18.000-06:00
A non-finite `x-credits-remaining` header value (e.g. `-Infinity`) parsed by
`_capture_credits_remaining` reached `CreditSink` and caused two defects:

- `-inf` later hit `int(remaining)` in the low-credits display branch of
  `build_tool_response`, raising `OverflowError` and turning a successful tool
  call into a hard error.
- A `nan`/`-inf` recorded first poisoned the running minimum: `value &lt;
  self.remaining` is `False` for every later observation, so a genuine low
  balance was dropped and the advisory note silently suppressed for the whole
  invocation.

Guard at the single chokepoint `CreditSink.record`: non-finite values are now
ignored, enforcing the invariant "remaining is None or a finite float". This
fixes both the crash and the suppression without touching `build_tool_response`.

Add unit tests (non-finite ignored, minimum not poisoned) and an end-to-end
regression test that a non-finite captured header neither crashes nor emits a
note. Bump version to 0.16.0.dev18.

Co-Authored-By: Claude Opus 4.8 &lt;noreply@anthropic.com&gt;
diff --git a/blockscout_mcp_server/__init__.py b/blockscout_mcp_server/__init__.py
@@ -1,4 +1,4 @@
 # SPDX-License-Identifier: LicenseRef-Blockscout
 """Blockscout MCP Server package."""
 
-__version__ = "0.16.0.dev17"
+__version__ = "0.16.0.dev18"
diff --git a/blockscout_mcp_server/pro_api_key_context.py b/blockscout_mcp_server/pro_api_key_context.py
@@ -49,6 +49,7 @@
 import functools
 import inspect
 import logging
+import math
 from collections.abc import Awaitable, Callable
 from contextvars import ContextVar
 from dataclasses import dataclass
@@ -121,6 +122,9 @@ class CreditSink:
 
     The minimum is retained (rather than the latest) as the conservative choice:
     it warns earlier and is order-independent across concurrent requests.
+
+    Invariant: ``remaining`` is either ``None`` or a *finite* float.  See
+    :meth:`record` for why non-finite values are rejected at the door.
     """
 
     def __init__(self) -> None:
@@ -130,7 +134,21 @@ def record(self, value: float) -> None:
         """Update the stored minimum with *value*.
 
         First observation sets the value; subsequent observations only lower it.
+
+        Non-finite values (``nan``, ``+inf``, ``-inf``) are silently ignored so
+        the invariant "``remaining`` is ``None`` or a *finite* float" always
+        holds.  This is the single chokepoint every value enters through, so the
+        guard belongs here:
+        - ``float("-Infinity")`` would otherwise crash a downstream
+          ``int(remaining)`` display conversion with ``OverflowError``.
+        - A ``nan`` (or ``-inf``) recorded first would *poison* the minimum: the
+          ``value < self.remaining`` comparison is ``False`` for every later
+          real observation (``x < nan`` is always ``False``; nothing is ``<
+          -inf``), so a genuine low balance would be dropped and the advisory
+          note silently suppressed for the whole invocation.
         """
+        if not math.isfinite(value):
+            return
         if self.remaining is None or value < self.remaining:
             self.remaining = value
 
diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
 name = "blockscout-mcp-server"
-version = "0.16.0.dev17"
+version = "0.16.0.dev18"
 description = "MCP server for Blockscout"
 requires-python = ">=3.11"
 dependencies = [
diff --git a/server.json b/server.json
@@ -2,7 +2,7 @@
   "$schema": "https://static.modelcontextprotocol.io/schemas/2025-12-11/server.schema.json",
   "name": "com.blockscout/mcp-server",
   "description": "MCP server for Blockscout",
-  "version": "0.16.0.dev17",
+  "version": "0.16.0.dev18",
   "websiteUrl": "https://blockscout.com",
   "repository": {
     "url": "https://github.com/blockscout/mcp-server",
diff --git a/tests/tools/test_credit_tracking.py b/tests/tools/test_credit_tracking.py
@@ -142,6 +142,33 @@ def test_credit_sink_negative_beats_positive():
     assert sink.remaining == -5.0
 
 
+@pytest.mark.parametrize("non_finite", [float("nan"), float("inf"), float("-inf")])
+def test_credit_sink_ignores_non_finite_values(non_finite):
+    """nan / ±inf are rejected at the door: the sink stays at its prior state.
+
+    float("-Infinity") would otherwise crash a downstream int() display
+    conversion, and a nan/-inf recorded first would poison the running minimum.
+    """
+    sink = CreditSink()
+    sink.record(non_finite)
+    assert sink.remaining is None
+
+
+@pytest.mark.parametrize("non_finite", [float("nan"), float("-inf")])
+def test_credit_sink_non_finite_does_not_poison_minimum(non_finite):
+    """Regression: a non-finite observation first must not block a later real
+    low value from being recorded.
+
+    Without the finite guard, `value < self.remaining` is always False once
+    `remaining` is nan/-inf, so the genuine 2000 would be dropped and the
+    low-credits advisory silently suppressed for the whole invocation.
+    """
+    sink = CreditSink()
+    sink.record(non_finite)
+    sink.record(2000.0)
+    assert sink.remaining == 2000.0
+
+
 # ---------------------------------------------------------------------------
 # _capture_credits_remaining via make_blockscout_request (GET path)
 # ---------------------------------------------------------------------------
@@ -773,6 +800,28 @@ def test_build_tool_response_note_present_for_negative_balance():
     assert "-50" in response.notes[0]
 
 
+@pytest.mark.parametrize("header_value", ["-Infinity", "-inf", "nan", "Infinity"])
+def test_build_tool_response_no_crash_on_non_finite_captured_header(header_value):
+    """End-to-end regression: a non-finite ``x-credits-remaining`` header must
+    not crash ``build_tool_response`` and must not emit an advisory note.
+
+    ``float("-Infinity")`` previously reached ``int(remaining)`` in the display
+    branch and raised ``OverflowError``.  With the finite guard in
+    ``CreditSink.record`` the value never enters the sink, so ``remaining``
+    stays ``None`` and no note is produced.
+    """
+    from blockscout_mcp_server.tools.common import _capture_credits_remaining, build_tool_response
+
+    sink = CreditSink()
+    with _set_sink(sink):
+        _capture_credits_remaining(_MockResponse(headers={"x-credits-remaining": header_value}))
+        with patch.object(config, "pro_api_low_credits_threshold", 5000):
+            response = build_tool_response(data={"ok": True})
+
+    assert sink.remaining is None
+    assert response.notes is None
+
+
 def test_build_tool_response_note_absent_when_threshold_disabled():
     """No advisory note when threshold is 0 (feature disabled), even with a low balance."""
     from blockscout_mcp_server.tools.common import build_tool_response
