BarzelVault MCP Comprehensive Product Description Overview BarzelVault MCP is an enterprise-grade AI Action Firewall built as a Model Context Protocol (MCP) server. It acts as a governance and security gateway that sits between AI agents/LLMs and the real-world actions they attempt to perform. Every action an AI agent requests — whether it's a database write, a payment transfer, or an API call — must pass through BarzelVault's multi-layered security pipeline before it can execute. The server enforces risk-based policies, requires human approval for high-risk operations, maintains tamper-evident audit logs, detects behavioral anomalies, and provides full compliance reporting — all exposed as 12 MCP tools that any MCP-compatible AI client can invoke natively.

Version: 5.1.0
Runtime: Node.js + TypeScript (ES2022, NodeNext modules)
Framework: Express.js with SSE (Server-Sent Events) transport
Protocol: MCP (Model Context Protocol) via @modelcontextprotocol/sdk
Default Port: 8080

Architectural Overview BarzelVault is structured as a layered, modular TypeScript application with clear separation of concerns across ~20 source modules. The architecture follows a pipeline pattern: every incoming tool call flows through authentication → policy evaluation → guardrails → circuit breaker → retry engine → handler execution → metrics recording → observability logging → response enrichment.

Security Headers Every response includes:

X-Content-Type-Options: nosniff — prevents MIME-type sniffing
X-Frame-Options: DENY — blocks clickjacking via iframes
X-XSS-Protection: 1; mode=block — enables browser XSS filter
Strict-Transport-Security: max-age=31536000; includeSubDomains — enforces HTTPS for 1 year
Content-Security-Policy: default-src 'self' — restricts resource loading to same origin
Referrer-Policy: strict-origin-when-cross-origin — limits referrer leakage
Permissions-Policy: camera=(), microphone=(), geolocation=() — disables sensitive browser APIs

CORS Configuration Origins are configurable via the ALLOWED_ORIGINS environment variable (comma-separated). If unset, defaults to * for development. The configuration allows credentials, and permits GET, POST, PUT, DELETE, OPTIONS methods with standard headers plus Authorization, x-api-key, x-tenant-id, and mcp-session-id.

Health Checks

GET /ping — returns { status: "pong" } (lightweight liveness probe)
GET /health — returns { status: "healthy", timestamp, uptime, version: "5.1.0" } (rich readiness probe)

MCP Discovery Endpoint (POST /mcp) Handles MCPize capability discovery probes without requiring authentication. Responds to JSON-RPC initialize requests with server info and capabilities, and to tools/list requests with the full tool manifest from the registry. This enables automated platform discovery of all 12 tools.

Graceful Shutdown Handles SIGTERM and SIGINT with a clean server close, logging the shutdown event. Uncaught exceptions and unhandled promise rejections are caught at the process level, logged, and trigger a controlled exit.

MCP Server Core This is the heart of BarzelVault. It implements the full MCP protocol lifecycle over SSE transport.

Session Management Each SSE connection creates a new MCP session stored in an in-memory Map<string, SessionEntry>: typescript interface SessionEntry { transport: SSEServerTransport; server: McpServer; tenantId: number; permissions: string[]; }

Session creation: When a client connects to /mcp/sse, a new SSEServerTransport is created first (to obtain the real sessionId), then an McpServer instance is created with that session's tenantId and sessionId. The session is stored with its permissions for later policy evaluation.
Session cleanup: When the SSE connection closes, the server is gracefully closed, the session is removed from the registry, and all short-term agent memory for that session is purged.
Tenant isolation: The /mcp/messages endpoint validates that the authentication token's tenantId matches the session's tenantId, preventing cross-tenant message injection.