This release includes breaking changes for platform teams planning a safe upgrade.
Published 2mo
MCP Developer Tools
✓ No known CVEs patched
✓ No known CVEs patched in this version
Topics
ai
ai-agents
ai-gateway
anthropic
api-gateway
budget-enforcement
+14 more
cloudflare-workers
cost-estimation
cost-tracking
durable-objects
llm
llm-cost
llm-observability
llmkit
mcp
model-context-protocol
openai
python
typescript
vercel-ai-sdk
Summary
AI summaryKeyGuard adds recursive banned‑file scanning, subpath action resolution, gitignore negation, and four new secret patterns.
Full changelog
What's changed
Proxy correctness
- Stream errors now release budget reservations via try/finally
- BudgetDO: alarm cleans session reservations, total-period alerts fire once, record() resets period
- Gemini empty candidates handled gracefully (content_filter finishReason)
Dashboard performance
- React.cache deduplication (8+ duplicate DB queries per page down to 1)
- Layout waterfall fix (ensureAccount return value used directly)
- Removed ~350 lines of dead code
MCP server
- Local cost tracking deduplicates JSONL by message.id (was inflating 3-5x)
Security
- OpenSSF Scorecard workflow + badge
- CodeQL static analysis
- Branch protection with required PR reviews
- update-pricing workflow git config fix
KeyGuard fixes (separate repo)
- Recursive banned file scanning
- Subpath action resolution
- Gitignore negation support
- Cross-platform hash normalization
- 4 new secret patterns (Telegram, npm, PyPI, SendGrid)
- GITHUB_TOKEN rate limit support
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About smigolsmigol/llmkit
AI API cost tracking and budget enforcement across 11 LLM providers. 6 tools for spend analytics, budget monitoring, session summaries, and key management.
Related context
Beta — feedback welcome: [email protected]