Skip to main content

What does scan do?

The scan command walks your TypeScript and JavaScript files looking for wallet calls (.sendTransaction(), .transfer(), writeContract(), and 7 other patterns) that do not have a corresponding Mandate validation in the same file. It requires no authentication and no configuration.

Usage

# Scan current directory
npx @mandate.md/cli scan

# Scan a specific directory
npx @mandate.md/cli scan ./src/agents

Arguments

ArgumentRequiredDefaultDescription
directoryNo. (current directory)Path to the directory to scan

Options

OptionRequiredDescription
--jsonNoOutput results as JSON instead of human-readable text
--verboseNoShow all findings, including protected calls
--ignoreNoComma-separated glob patterns to skip (e.g. tests,scripts)
--no-telemetryNoDisable anonymous scan telemetry

Patterns detected

The scanner looks for 10 financial call patterns in .ts, .js, .tsx, and .jsx files:
PatternExample
wallet.transfer(Direct wallet transfer calls
wallet.sendTransaction(Generic transaction sends
wallet.send(Shorthand send calls
.sendTransaction(Any object’s sendTransaction
.sendRawTransaction(Raw transaction sends
writeContract(Viem contract writes
walletClient.writeViem wallet client writes
executeAction(...transfer)Framework action executions
execute_swapSwap execution functions
execute_tradeTrade execution functions
A call is marked protected if the file imports from @mandate, references MandateClient, MandateWallet, mandate.validate, or mandate.preflight. The scanner also checks for project-level protection: if @mandate.md/sdk appears in any package.json or a MANDATE.md file exists, all findings are marked protected.

Exit codes

CodeMeaning
0No unprotected calls found (clean)
1One or more unprotected calls detected

Human-readable output

  Mandate Scan v0.2.0

  Scanning ./src/agents ...

    src/agents/trader.ts
      L42  wallet.sendTransaction({...})  UNPROTECTED
      L87  execute_swap(params)            UNPROTECTED

    src/agents/payer.ts
      L15  wallet.transfer(to, amount)     UNPROTECTED

  3 unprotected calls found across 12 files.
  Fix: https://mandate.md/docs/quickstart

JSON output

npx @mandate.md/cli scan --json

{
  "filesScanned": 12,
  "findings": [
    {
      "file": "src/agents/trader.ts",
      "line": 42,
      "pattern": "wallet.sendTransaction(",
      "match": "  await wallet.sendTransaction({...})",
      "protected": false
    }
  ],
  "summary": { "total": 3, "protected": 0, "unprotected": 3 },
  "version": "0.2.0"
}

CI integration

Add the scan to your CI pipeline. The exit code 1 fails the build if unprotected calls exist. GitHub Actions: 
- name: Mandate scan
  run: npx @mandate.md/cli scan ./src
Pre-commit hook: 
#!/bin/sh
npx @mandate.md/cli scan || exit 1
GitLab CI: 
mandate-scan:
  script:
    - npx @mandate.md/cli scan ./src
  allow_failure: false
The --json flag is useful for programmatic processing in CI. Pipe it to jq to extract specific fields or fail on thresholds.
Run scan early in your pipeline, before tests. It catches missing validation at the code level, not at runtime.

Next Steps

Codebase Scanner Guide

Detailed walkthrough of scanner patterns and remediation steps.

CI/CD Integration

Set up Mandate checks in your deployment pipeline.

Validate Transactions

Add validation to the unprotected calls the scanner found.