Barndoor · Capability
Barndoor AI Governance
Unified workflow for governing AI agents and Model Context Protocol (MCP) servers through the Barndoor Platform. Registers agents, manages MCP server instances, brokers OAuth connections to backend SaaS, authors RBAC/ABAC policies (with cloning, validation, and revisions), and proxies MCP / SSE traffic with runtime policy enforcement. Designed for IT, security, and developer teams operating agentic AI in production.
MCP Tools
list-agents
List registered AI agents under the organization.
read-only
register-agent
Register a new AI agent under the organization.
get-agent-counts
Get internal vs external agent counts.
read-only
list-servers
List registered MCP servers.
read-only
create-server
Register a new MCP server.
delete-server
Delete an MCP server registration.
idempotent
initiate-connection
Start an OAuth 2.0 connection flow to an MCP server.
get-connection-status
Check OAuth connection status for an MCP server.
read-only
delete-connection
Delete an OAuth connection for an MCP server.
idempotent
list-policies
List access-control policies.
read-only
create-policy
Publish a new Cerbos policy.
update-policy
Update an existing policy.
idempotent
clone-policy
Clone an existing policy as a new draft.
validate-policy
Validate a policy definition before publishing.
read-only
list-policy-revisions
List the revision history for a policy.
read-only
enable-restriction
Enable a named restriction.
idempotent
disable-restriction
Disable a named restriction.
idempotent
proxy-mcp-request
Proxy an MCP request through Barndoor policy enforcement.
proxy-sse-request
Proxy an SSE stream through Barndoor.
Capability Spec
naftiko: 1.0.0-alpha2
info:
label: Barndoor AI Governance
description: >-
Unified workflow for governing AI agents and Model Context Protocol (MCP)
servers through the Barndoor Platform. Registers agents, manages MCP server
instances, brokers OAuth connections to backend SaaS, authors RBAC/ABAC
policies (with cloning, validation, and revisions), and proxies MCP / SSE
traffic with runtime policy enforcement. Designed for IT, security, and
developer teams operating agentic AI in production.
tags:
- Barndoor
- AI Governance
- MCP
- Policy
- Agents
- Servers
- Connections
- Proxy
created: '2026-05-15'
modified: '2026-05-15'
binds:
- namespace: env
keys:
BARNDOOR_TOKEN: BARNDOOR_TOKEN
BARNDOOR_ORG: BARNDOOR_ORG
capability:
consumes:
- type: http
namespace: barndoor
baseUri: https://{{BARNDOOR_ORG}}.platform.barndoor.ai
description: Barndoor Platform REST API.
authentication:
type: bearer
value: '{{BARNDOOR_TOKEN}}'
placement: header
resources:
- name: agents
path: /api/agents
description: AI agent registry.
operations:
- name: list-agents
method: GET
description: List registered agents with pagination.
inputParameters:
- {name: search, in: query, type: string, required: false, description: Search by name or description.}
- {name: agent_type, in: query, type: string, required: false, description: Filter by agent type (internal or external).}
- {name: page, in: query, type: integer, required: false, description: Page number.}
- {name: limit, in: query, type: integer, required: false, description: Items per page (max 100).}
outputRawFormat: json
outputParameters:
- {name: result, type: object, value: $.}
- name: register-agent
method: POST
description: Register a new agent.
outputRawFormat: json
outputParameters:
- {name: result, type: object, value: $.}
body:
type: json
data:
application_directory_id: '{{tools.applicationDirectoryId}}'
name: '{{tools.name}}'
description: '{{tools.description}}'
- name: agent
path: /api/agents/{agent_id}
description: Individual agent management.
operations:
- name: get-agent
method: GET
description: Get agent details.
inputParameters:
- {name: agent_id, in: path, type: string, required: true, description: Agent UUID.}
outputRawFormat: json
outputParameters:
- {name: result, type: object, value: $.}
- name: unregister-agent
method: DELETE
description: Unregister an agent.
inputParameters:
- {name: agent_id, in: path, type: string, required: true, description: Agent UUID.}
outputRawFormat: json
outputParameters:
- {name: result, type: object, value: $.}
- name: agent-counts
path: /api/agents/counts
description: Agent counts by type.
operations:
- name: get-agent-counts
method: GET
description: Get internal vs external agent counts.
outputRawFormat: json
outputParameters:
- {name: result, type: object, value: $.}
- name: servers
path: /api/servers
description: MCP server registry.
operations:
- name: list-servers
method: GET
description: List registered MCP servers.
outputRawFormat: json
outputParameters:
- {name: result, type: object, value: $.}
- name: create-server
method: POST
description: Register a new MCP server.
outputRawFormat: json
outputParameters:
- {name: result, type: object, value: $.}
body:
type: json
data:
name: '{{tools.name}}'
url: '{{tools.url}}'
- name: server
path: /api/servers/{server_id}
description: Individual MCP server management.
operations:
- name: get-server
method: GET
description: Get server details.
inputParameters:
- {name: server_id, in: path, type: string, required: true, description: Server UUID.}
outputRawFormat: json
outputParameters:
- {name: result, type: object, value: $.}
- name: update-server
method: PUT
description: Update an MCP server registration.
inputParameters:
- {name: server_id, in: path, type: string, required: true, description: Server UUID.}
outputRawFormat: json
outputParameters:
- {name: result, type: object, value: $.}
body:
type: json
data:
name: '{{tools.name}}'
- name: delete-server
method: DELETE
description: Delete a server registration.
inputParameters:
- {name: server_id, in: path, type: string, required: true, description: Server UUID.}
outputRawFormat: json
outputParameters:
- {name: result, type: object, value: $.}
- name: connection
path: /api/servers/{server_id}/connection
description: OAuth connection to an MCP server.
operations:
- name: get-connection-status
method: GET
description: Get OAuth connection status.
inputParameters:
- {name: server_id, in: path, type: string, required: true, description: Server UUID.}
outputRawFormat: json
outputParameters:
- {name: result, type: object, value: $.}
- name: delete-connection
method: DELETE
description: Delete an OAuth connection.
inputParameters:
- {name: server_id, in: path, type: string, required: true, description: Server UUID.}
outputRawFormat: json
outputParameters:
- {name: result, type: object, value: $.}
- name: connect
path: /api/servers/{server_id}/connect
description: Initiate OAuth flow.
operations:
- name: initiate-connection
method: POST
description: Start an OAuth 2.0 connection flow.
inputParameters:
- {name: server_id, in: path, type: string, required: true, description: Server UUID.}
outputRawFormat: json
outputParameters:
- {name: result, type: object, value: $.}
- name: policies
path: /api/v2/policies
description: Policy registry (Cerbos-backed).
operations:
- name: list-policies
method: GET
description: List access-control policies.
outputRawFormat: json
outputParameters:
- {name: result, type: object, value: $.}
- name: create-policy
method: POST
description: Publish a policy (Cerbos format).
outputRawFormat: json
outputParameters:
- {name: result, type: object, value: $.}
body:
type: json
data:
name: '{{tools.name}}'
rules: '{{tools.rules}}'
- name: policy
path: /api/v2/policies/{policy_id}
description: Individual policy.
operations:
- name: get-policy
method: GET
description: Get policy detail.
inputParameters:
- {name: policy_id, in: path, type: string, required: true, description: Policy UUID.}
outputRawFormat: json
outputParameters:
- {name: result, type: object, value: $.}
- name: update-policy
method: PATCH
description: Update a policy.
inputParameters:
- {name: policy_id, in: path, type: string, required: true, description: Policy UUID.}
outputRawFormat: json
outputParameters:
- {name: result, type: object, value: $.}
body:
type: json
data:
description: '{{tools.description}}'
- name: policy-revisions
path: /api/v2/policies/{policy_id}/revisions
description: Policy revision history.
operations:
- name: list-policy-revisions
method: GET
description: List policy revisions.
inputParameters:
- {name: policy_id, in: path, type: string, required: true, description: Policy UUID.}
outputRawFormat: json
outputParameters:
- {name: result, type: object, value: $.}
- name: policy-clone
path: /api/v2/policies/{policy_id}/clone
description: Clone an existing policy.
operations:
- name: clone-policy
method: POST
description: Clone a policy.
inputParameters:
- {name: policy_id, in: path, type: string, required: true, description: Policy UUID.}
outputRawFormat: json
outputParameters:
- {name: result, type: object, value: $.}
- name: policy-validate
path: /api/v2/policies/validate
description: Validate a policy before publishing.
operations:
- name: validate-policy
method: POST
description: Validate a policy definition.
outputRawFormat: json
outputParameters:
- {name: result, type: object, value: $.}
- name: policy-summary
path: /api/v2/policies/summary
description: Aggregate policy summary.
operations:
- name: get-policies-summary
method: GET
description: Get an aggregate summary of policies.
outputRawFormat: json
outputParameters:
- {name: result, type: object, value: $.}
- name: filter-definitions
path: /api/v2/policies/filter-definitions
description: Filter definitions for policy authoring UIs.
operations:
- name: get-filter-definitions
method: GET
description: Get supported filter categories and options.
outputRawFormat: json
outputParameters:
- {name: result, type: object, value: $.}
- name: restriction-enable
path: /api/policies/restrictions/enable/{restriction_name}
description: Enable a restriction.
operations:
- name: enable-restriction
method: PUT
description: Enable a named restriction.
inputParameters:
- {name: restriction_name, in: path, type: string, required: true, description: Restriction name.}
outputRawFormat: json
outputParameters:
- {name: result, type: object, value: $.}
- name: restriction-disable
path: /api/policies/restrictions/disable/{restriction_name}
description: Disable a restriction.
operations:
- name: disable-restriction
method: PUT
description: Disable a named restriction.
inputParameters:
- {name: restriction_name, in: path, type: string, required: true, description: Restriction name.}
outputRawFormat: json
outputParameters:
- {name: result, type: object, value: $.}
- name: mcp-proxy
path: /mcp/{mcp_server_name}
description: Proxy MCP requests to backend servers.
operations:
- name: proxy-mcp-request
method: GET
description: Proxy a request to an MCP server through Barndoor policy enforcement.
inputParameters:
- {name: mcp_server_name, in: path, type: string, required: true, description: MCP server slug.}
outputRawFormat: json
outputParameters:
- {name: result, type: object, value: $.}
- name: sse-proxy
path: /sse/{mcp_server_name}
description: Proxy SSE streams from MCP servers.
operations:
- name: proxy-sse-request
method: GET
description: Proxy an SSE stream from an MCP server.
inputParameters:
- {name: mcp_server_name, in: path, type: string, required: true, description: MCP server slug.}
outputRawFormat: text
outputParameters:
- {name: result, type: object, value: $.}
exposes:
- type: mcp
port: 9080
namespace: barndoor-governance-mcp
transport: http
description: MCP server exposing Barndoor governance workflows to AI agents.
tools:
- name: list-agents
description: List registered AI agents under the organization.
hints: {readOnly: true, openWorld: true}
call: barndoor.list-agents
outputParameters:
- {type: object, mapping: $.}
- name: register-agent
description: Register a new AI agent under the organization.
hints: {readOnly: false}
call: barndoor.register-agent
outputParameters:
- {type: object, mapping: $.}
- name: get-agent-counts
description: Get internal vs external agent counts.
hints: {readOnly: true}
call: barndoor.get-agent-counts
outputParameters:
- {type: object, mapping: $.}
- name: list-servers
description: List registered MCP servers.
hints: {readOnly: true, openWorld: true}
call: barndoor.list-servers
outputParameters:
- {type: object, mapping: $.}
- name: create-server
description: Register a new MCP server.
hints: {readOnly: false}
call: barndoor.create-server
outputParameters:
- {type: object, mapping: $.}
- name: delete-server
description: Delete an MCP server registration.
hints: {destructive: true, idempotent: true}
call: barndoor.delete-server
with: {server_id: tools.serverId}
outputParameters:
- {type: object, mapping: $.}
- name: initiate-connection
description: Start an OAuth 2.0 connection flow to an MCP server.
hints: {readOnly: false}
call: barndoor.initiate-connection
with: {server_id: tools.serverId}
outputParameters:
- {type: object, mapping: $.}
- name: get-connection-status
description: Check OAuth connection status for an MCP server.
hints: {readOnly: true}
call: barndoor.get-connection-status
with: {server_id: tools.serverId}
outputParameters:
- {type: object, mapping: $.}
- name: delete-connection
description: Delete an OAuth connection for an MCP server.
hints: {destructive: true, idempotent: true}
call: barndoor.delete-connection
with: {server_id: tools.serverId}
outputParameters:
- {type: object, mapping: $.}
- name: list-policies
description: List access-control policies.
hints: {readOnly: true, openWorld: true}
call: barndoor.list-policies
outputParameters:
- {type: object, mapping: $.}
- name: create-policy
description: Publish a new Cerbos policy.
hints: {readOnly: false}
call: barndoor.create-policy
outputParameters:
- {type: object, mapping: $.}
- name: update-policy
description: Update an existing policy.
hints: {readOnly: false, idempotent: true}
call: barndoor.update-policy
with: {policy_id: tools.policyId}
outputParameters:
- {type: object, mapping: $.}
- name: clone-policy
description: Clone an existing policy as a new draft.
hints: {readOnly: false}
call: barndoor.clone-policy
with: {policy_id: tools.policyId}
outputParameters:
- {type: object, mapping: $.}
- name: validate-policy
description: Validate a policy definition before publishing.
hints: {readOnly: true}
call: barndoor.validate-policy
outputParameters:
- {type: object, mapping: $.}
- name: list-policy-revisions
description: List the revision history for a policy.
hints: {readOnly: true}
call: barndoor.list-policy-revisions
with: {policy_id: tools.policyId}
outputParameters:
- {type: object, mapping: $.}
- name: enable-restriction
description: Enable a named restriction.
hints: {readOnly: false, idempotent: true}
call: barndoor.enable-restriction
with: {restriction_name: tools.restrictionName}
outputParameters:
- {type: object, mapping: $.}
- name: disable-restriction
description: Disable a named restriction.
hints: {readOnly: false, idempotent: true}
call: barndoor.disable-restriction
with: {restriction_name: tools.restrictionName}
outputParameters:
- {type: object, mapping: $.}
- name: proxy-mcp-request
description: Proxy an MCP request through Barndoor policy enforcement.
hints: {readOnly: false}
call: barndoor.proxy-mcp-request
with: {mcp_server_name: tools.mcpServerName}
outputParameters:
- {type: object, mapping: $.}
- name: proxy-sse-request
description: Proxy an SSE stream through Barndoor.
hints: {readOnly: false}
call: barndoor.proxy-sse-request
with: {mcp_server_name: tools.mcpServerName}
outputParameters:
- {type: object, mapping: $.}