Context
Hao's standalone @outblock/cadence-mcp (npm) shipped 3 tool capabilities not yet in the Flow CLI's flow mcp subcommand:
cadence_security_scan — regex-based audit rules (vulnerable patterns: overly-permissive access, unauthenticated borrows, missing entitlements, etc.)cadence_validate_args — JSON-Cadence argument validation against a Cadence type signature- Doc search trio —
search_docs, get_doc, browse_docs — Orama-indexed search across cadence-lang.org content + onflow/docs submodule
The cadence-lang.org redesign PR (#306) consolidated to flow mcp (Peter Argue's Go-native implementation in onflow/flow-cli#2306, inspired by Hao's design but reimplemented from scratch in Go) and deleted the duplicate mcp-server/ source. The 3 unique capabilities above are gone with it.
Goal
Implement the equivalent functionality natively in Go in onflow/flow-cli/internal/mcp/tools.go so users get them via flow mcp. This is a fresh implementation following Peter's existing tool patterns in internal/mcp/ — not a TypeScript-to-Go transliteration of Hao's code.
Reference materials
Hao's TypeScript implementations are still readable in this repo's git history before they were deleted:
- Security scan rules:
mcp-server/src/audit.ts at git log eval/pr285-cleanup -- mcp-server/src/audit.ts — pure regex pass over Cadence source. ~10 rules covering common security anti-patterns. Easy to translate the rule patterns; the surrounding harness is rewritten in Go.
- JSON-Cadence validation:
mcp-server/src/codec/validate.ts — validates JSON-Cadence input shapes against type signatures. Flow CLI already has internal arg validation for flow scripts execute / flow transactions send — likely reusable rather than fresh-coded.
- Doc search:
mcp-server/src/search.ts + @orama/orama index over local content. Three tool implementations: search_docs (text query → ranked results), get_doc (fetch by URL), browse_docs (tree walk). Could ship the Orama index as a downloadable artifact alongside Flow CLI releases, or simply call out to cadence-lang.org's /api/search endpoint. The latter is much simpler but introduces a network dependency.
Out of scope (already covered by flow mcp)
cadence_check, cadence_hover, cadence_definition, cadence_symbols, cadence_completion (LSP-backed) — already in flow mcpget_contract_source, get_contract_code (chain reads) — already in flow mcpcadence_execute_script (script execution) — already in flow mcpcadence_code_review — already in flow mcp per PR #2306 description (rule-based pattern review)- HTTP transport —
flow mcp is stdio-only by design; HTTP transport is a separate question of whether the Flow Foundation wants to host a remote MCP
Why post-merge
The consolidation in #306 was the urgent move (two MCPs both registering as 'cadence-mcp' is a footgun). Implementing the 3 tools upstream is a clean, scoped follow-up that doesn't gate the redesign release.
cc @peterargue (Flow DX team — owner of flow mcp per slack discussion)
Context
Hao's standalone
@outblock/cadence-mcp(npm) shipped 3 tool capabilities not yet in the Flow CLI'sflow mcpsubcommand:cadence_security_scan— regex-based audit rules (vulnerable patterns: overly-permissive access, unauthenticated borrows, missing entitlements, etc.)cadence_validate_args— JSON-Cadence argument validation against a Cadence type signaturesearch_docs,get_doc,browse_docs— Orama-indexed search across cadence-lang.org content + onflow/docs submoduleThe cadence-lang.org redesign PR (#306) consolidated to
flow mcp(Peter Argue's Go-native implementation in onflow/flow-cli#2306, inspired by Hao's design but reimplemented from scratch in Go) and deleted the duplicatemcp-server/source. The 3 unique capabilities above are gone with it.Goal
Implement the equivalent functionality natively in Go in onflow/flow-cli/internal/mcp/tools.go so users get them via
flow mcp. This is a fresh implementation following Peter's existing tool patterns ininternal/mcp/— not a TypeScript-to-Go transliteration of Hao's code.Reference materials
Hao's TypeScript implementations are still readable in this repo's git history before they were deleted:
mcp-server/src/audit.tsat git log eval/pr285-cleanup -- mcp-server/src/audit.ts — pure regex pass over Cadence source. ~10 rules covering common security anti-patterns. Easy to translate the rule patterns; the surrounding harness is rewritten in Go.mcp-server/src/codec/validate.ts— validates JSON-Cadence input shapes against type signatures. Flow CLI already has internal arg validation forflow scripts execute/flow transactions send— likely reusable rather than fresh-coded.mcp-server/src/search.ts+@orama/oramaindex over local content. Three tool implementations:search_docs(text query → ranked results),get_doc(fetch by URL),browse_docs(tree walk). Could ship the Orama index as a downloadable artifact alongside Flow CLI releases, or simply call out to cadence-lang.org's/api/searchendpoint. The latter is much simpler but introduces a network dependency.Out of scope (already covered by
flow mcp)cadence_check,cadence_hover,cadence_definition,cadence_symbols,cadence_completion(LSP-backed) — already inflow mcpget_contract_source,get_contract_code(chain reads) — already inflow mcpcadence_execute_script(script execution) — already inflow mcpcadence_code_review— already inflow mcpper PR #2306 description (rule-based pattern review)flow mcpis stdio-only by design; HTTP transport is a separate question of whether the Flow Foundation wants to host a remote MCPWhy post-merge
The consolidation in #306 was the urgent move (two MCPs both registering as 'cadence-mcp' is a footgun). Implementing the 3 tools upstream is a clean, scoped follow-up that doesn't gate the redesign release.
cc @peterargue (Flow DX team — owner of
flow mcpper slack discussion)