cloudflare/mcp-server-cloudflare

[email protected] scope: docs-autorag Breaking

This release includes breaking changes for platform teams planning a safe upgrade.

Published 1d MCP Developer Tools

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

ReleasePort's take

Moderate signal

editorial:auto 1d

The release mandates several dependency upgrades and introduces breaking API changes that require code modifications.

Why it matters: Upgrade @cloudflare/workers-oauth-provider to 0.7.0, agents to 0.13.3, @modelcontextprotocol/sdk to 1.29.0, zod to 4, and ai to 6; also add `grantId` to TokenExchangeCallbackOptions and constrain McpAgent environment to Cloudflare.Env.

Summary

AI summary

Updates Patch Changes, a358e69, and f625075 across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Breaking	High	`TokenExchangeCallbackOptions` now requires a `grantId` field. `TokenExchangeCallbackOptions` now requires a `grantId` field. Source: llm_adapter@2026-06-02 Confidence: high	—
Breaking	High	`McpAgent` environment generic constrained to `Cloudflare.Env`. `McpAgent` environment generic constrained to `Cloudflare.Env`. Source: llm_adapter@2026-06-02 Confidence: high	—
Dependency
Dependency	Low	Upgrade @cloudflare/workers-oauth-provider from 0.4.0 to 0.7.0. Upgrade @cloudflare/workers-oauth-provider from 0.4.0 to 0.7.0. Source: llm_adapter@2026-06-02 Confidence: high	—
Dependency	Low	Upgrade agents from 0.2.19 to 0.13.3. Upgrade agents from 0.2.19 to 0.13.3. Source: llm_adapter@2026-06-02 Confidence: high	—
Dependency	Low	Upgrade @modelcontextprotocol/sdk from 1.20.2 to 1.29.0. Upgrade @modelcontextprotocol/sdk from 1.20.2 to 1.29.0. Source: llm_adapter@2026-06-02 Confidence: high	—
Dependency	Low	Upgrade zod from 3 to 4. Upgrade zod from 3 to 4. Source: llm_adapter@2026-06-02 Confidence: high	—
Dependency	Low	Upgrade ai from 4 to 6. Upgrade ai from 4 to 6. Source: llm_adapter@2026-06-02 Confidence: high	—
Deprecation	Medium	Drop the removed `objectOutputType` helper from zod. Drop the removed `objectOutputType` helper from zod. Source: llm_adapter@2026-06-02 Confidence: high	—
Bugfix	Medium	Fix latent bug where nested MCP annotation hints were silently ignored. Fix latent bug where nested MCP annotation hints were silently ignored. Source: llm_adapter@2026-06-02 Confidence: high	—
Bugfix	Medium	Replace `z.string().ip()` with explicit `z.ipv4()`/`z.ipv6()` validation. Replace `z.string().ip()` with explicit `z.ipv4()`/`z.ipv6()` validation. Source: llm_adapter@2026-06-02 Confidence: high	—
Refactor	Low	`z.record(...)` now takes an explicit key schema in zod 4. `z.record(...)` now takes an explicit key schema in zod 4. Source: granite4.1:30b@2026-06-02-audit Confidence: high	—
Refactor	Low	Update eval tooling in ai: LanguageModel, inputSchema, stopWhen/stepCountIs, and tool-call `input`. Update eval tooling in ai: LanguageModel, inputSchema, stopWhen/stepCountIs, and tool-call `input`. Source: granite4.1:30b@2026-06-02-audit Confidence: high	—

Full changelog

Patch Changes

a358e69: Upgrade @cloudflare/workers-oauth-provider 0.4.0 → 0.7.0.

No tool or behavior changes. The only API change affecting this repo is that
TokenExchangeCallbackOptions now carries a required grantId field, which only
touched a test fixture (the provider supplies it at runtime).
f625075: Upgrade core dependencies: agents 0.2.19 → 0.13.3, @modelcontextprotocol/sdk 1.20.2 →
1.29.0, zod 3 → 4, and ai 4 → 6.

No user-facing tool or behavior changes. Internal adjustments for the new versions:
- zod 4: z.record(...) now takes an explicit key schema; z.string().ip() replaced with
  z.ipv4()/z.ipv6() validation; dropped the removed objectOutputType helper.
- agents 0.13: McpAgent env generic is constrained to Cloudflare.Env.
- MCP SDK 1.29: tool annotations hints must be flat ({ title, readOnlyHint, ... }) — fixes a
  latent bug where nested hints were silently ignored.
- ai 6: eval tooling updated (LanguageModel, inputSchema, stopWhen/stepCountIs, tool-call input).

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track cloudflare/mcp-server-cloudflare

Get notified when new releases ship.

About cloudflare/mcp-server-cloudflare

Integration with Cloudflare services including Workers, KV, R2, and D1

All releases →

Related context

Related tools

Earlier breaking changes

[email protected] Adds delete-class migration for UserDetails Durable Object in graphql server.
[email protected] Removes `accounts_list` and `set_active_account` tools.
[email protected] Removes `accounts_list` and `set_active_account` tools.
[email protected] Removes `accounts_list` and `set_active_account` tools.
[email protected] Removes `accounts_list` and `set_active_account` tools.