naftiko: 1.0.0-alpha2 info: label: Barndoor AI Governance description: >- Unified workflow for governing AI agents and Model Context Protocol (MCP) servers through the Barndoor Platform. Registers agents, manages MCP server instances, brokers OAuth connections to backend SaaS, authors RBAC/ABAC policies (with cloning, validation, and revisions), and proxies MCP / SSE traffic with runtime policy enforcement. Designed for IT, security, and developer teams operating agentic AI in production. tags: - Barndoor - AI Governance - MCP - Policy - Agents - Servers - Connections - Proxy created: '2026-05-15' modified: '2026-05-15' binds: - namespace: env keys: BARNDOOR_TOKEN: BARNDOOR_TOKEN BARNDOOR_ORG: BARNDOOR_ORG capability: consumes: - type: http namespace: barndoor baseUri: https://{{BARNDOOR_ORG}}.platform.barndoor.ai description: Barndoor Platform REST API. authentication: type: bearer value: '{{BARNDOOR_TOKEN}}' placement: header resources: - name: agents path: /api/agents description: AI agent registry. operations: - name: list-agents method: GET description: List registered agents with pagination. inputParameters: - {name: search, in: query, type: string, required: false, description: Search by name or description.} - {name: agent_type, in: query, type: string, required: false, description: Filter by agent type (internal or external).} - {name: page, in: query, type: integer, required: false, description: Page number.} - {name: limit, in: query, type: integer, required: false, description: Items per page (max 100).} outputRawFormat: json outputParameters: - {name: result, type: object, value: $.} - name: register-agent method: POST description: Register a new agent. outputRawFormat: json outputParameters: - {name: result, type: object, value: $.} body: type: json data: application_directory_id: '{{tools.applicationDirectoryId}}' name: '{{tools.name}}' description: '{{tools.description}}' - name: agent path: /api/agents/{agent_id} description: Individual agent management. operations: - name: get-agent method: GET description: Get agent details. inputParameters: - {name: agent_id, in: path, type: string, required: true, description: Agent UUID.} outputRawFormat: json outputParameters: - {name: result, type: object, value: $.} - name: unregister-agent method: DELETE description: Unregister an agent. inputParameters: - {name: agent_id, in: path, type: string, required: true, description: Agent UUID.} outputRawFormat: json outputParameters: - {name: result, type: object, value: $.} - name: agent-counts path: /api/agents/counts description: Agent counts by type. operations: - name: get-agent-counts method: GET description: Get internal vs external agent counts. outputRawFormat: json outputParameters: - {name: result, type: object, value: $.} - name: servers path: /api/servers description: MCP server registry. operations: - name: list-servers method: GET description: List registered MCP servers. outputRawFormat: json outputParameters: - {name: result, type: object, value: $.} - name: create-server method: POST description: Register a new MCP server. outputRawFormat: json outputParameters: - {name: result, type: object, value: $.} body: type: json data: name: '{{tools.name}}' url: '{{tools.url}}' - name: server path: /api/servers/{server_id} description: Individual MCP server management. operations: - name: get-server method: GET description: Get server details. inputParameters: - {name: server_id, in: path, type: string, required: true, description: Server UUID.} outputRawFormat: json outputParameters: - {name: result, type: object, value: $.} - name: update-server method: PUT description: Update an MCP server registration. inputParameters: - {name: server_id, in: path, type: string, required: true, description: Server UUID.} outputRawFormat: json outputParameters: - {name: result, type: object, value: $.} body: type: json data: name: '{{tools.name}}' - name: delete-server method: DELETE description: Delete a server registration. inputParameters: - {name: server_id, in: path, type: string, required: true, description: Server UUID.} outputRawFormat: json outputParameters: - {name: result, type: object, value: $.} - name: connection path: /api/servers/{server_id}/connection description: OAuth connection to an MCP server. operations: - name: get-connection-status method: GET description: Get OAuth connection status. inputParameters: - {name: server_id, in: path, type: string, required: true, description: Server UUID.} outputRawFormat: json outputParameters: - {name: result, type: object, value: $.} - name: delete-connection method: DELETE description: Delete an OAuth connection. inputParameters: - {name: server_id, in: path, type: string, required: true, description: Server UUID.} outputRawFormat: json outputParameters: - {name: result, type: object, value: $.} - name: connect path: /api/servers/{server_id}/connect description: Initiate OAuth flow. operations: - name: initiate-connection method: POST description: Start an OAuth 2.0 connection flow. inputParameters: - {name: server_id, in: path, type: string, required: true, description: Server UUID.} outputRawFormat: json outputParameters: - {name: result, type: object, value: $.} - name: policies path: /api/v2/policies description: Policy registry (Cerbos-backed). operations: - name: list-policies method: GET description: List access-control policies. outputRawFormat: json outputParameters: - {name: result, type: object, value: $.} - name: create-policy method: POST description: Publish a policy (Cerbos format). outputRawFormat: json outputParameters: - {name: result, type: object, value: $.} body: type: json data: name: '{{tools.name}}' rules: '{{tools.rules}}' - name: policy path: /api/v2/policies/{policy_id} description: Individual policy. operations: - name: get-policy method: GET description: Get policy detail. inputParameters: - {name: policy_id, in: path, type: string, required: true, description: Policy UUID.} outputRawFormat: json outputParameters: - {name: result, type: object, value: $.} - name: update-policy method: PATCH description: Update a policy. inputParameters: - {name: policy_id, in: path, type: string, required: true, description: Policy UUID.} outputRawFormat: json outputParameters: - {name: result, type: object, value: $.} body: type: json data: description: '{{tools.description}}' - name: policy-revisions path: /api/v2/policies/{policy_id}/revisions description: Policy revision history. operations: - name: list-policy-revisions method: GET description: List policy revisions. inputParameters: - {name: policy_id, in: path, type: string, required: true, description: Policy UUID.} outputRawFormat: json outputParameters: - {name: result, type: object, value: $.} - name: policy-clone path: /api/v2/policies/{policy_id}/clone description: Clone an existing policy. operations: - name: clone-policy method: POST description: Clone a policy. inputParameters: - {name: policy_id, in: path, type: string, required: true, description: Policy UUID.} outputRawFormat: json outputParameters: - {name: result, type: object, value: $.} - name: policy-validate path: /api/v2/policies/validate description: Validate a policy before publishing. operations: - name: validate-policy method: POST description: Validate a policy definition. outputRawFormat: json outputParameters: - {name: result, type: object, value: $.} - name: policy-summary path: /api/v2/policies/summary description: Aggregate policy summary. operations: - name: get-policies-summary method: GET description: Get an aggregate summary of policies. outputRawFormat: json outputParameters: - {name: result, type: object, value: $.} - name: filter-definitions path: /api/v2/policies/filter-definitions description: Filter definitions for policy authoring UIs. operations: - name: get-filter-definitions method: GET description: Get supported filter categories and options. outputRawFormat: json outputParameters: - {name: result, type: object, value: $.} - name: restriction-enable path: /api/policies/restrictions/enable/{restriction_name} description: Enable a restriction. operations: - name: enable-restriction method: PUT description: Enable a named restriction. inputParameters: - {name: restriction_name, in: path, type: string, required: true, description: Restriction name.} outputRawFormat: json outputParameters: - {name: result, type: object, value: $.} - name: restriction-disable path: /api/policies/restrictions/disable/{restriction_name} description: Disable a restriction. operations: - name: disable-restriction method: PUT description: Disable a named restriction. inputParameters: - {name: restriction_name, in: path, type: string, required: true, description: Restriction name.} outputRawFormat: json outputParameters: - {name: result, type: object, value: $.} - name: mcp-proxy path: /mcp/{mcp_server_name} description: Proxy MCP requests to backend servers. operations: - name: proxy-mcp-request method: GET description: Proxy a request to an MCP server through Barndoor policy enforcement. inputParameters: - {name: mcp_server_name, in: path, type: string, required: true, description: MCP server slug.} outputRawFormat: json outputParameters: - {name: result, type: object, value: $.} - name: sse-proxy path: /sse/{mcp_server_name} description: Proxy SSE streams from MCP servers. operations: - name: proxy-sse-request method: GET description: Proxy an SSE stream from an MCP server. inputParameters: - {name: mcp_server_name, in: path, type: string, required: true, description: MCP server slug.} outputRawFormat: text outputParameters: - {name: result, type: object, value: $.} exposes: - type: mcp port: 9080 namespace: barndoor-governance-mcp transport: http description: MCP server exposing Barndoor governance workflows to AI agents. tools: - name: list-agents description: List registered AI agents under the organization. hints: {readOnly: true, openWorld: true} call: barndoor.list-agents outputParameters: - {type: object, mapping: $.} - name: register-agent description: Register a new AI agent under the organization. hints: {readOnly: false} call: barndoor.register-agent outputParameters: - {type: object, mapping: $.} - name: get-agent-counts description: Get internal vs external agent counts. hints: {readOnly: true} call: barndoor.get-agent-counts outputParameters: - {type: object, mapping: $.} - name: list-servers description: List registered MCP servers. hints: {readOnly: true, openWorld: true} call: barndoor.list-servers outputParameters: - {type: object, mapping: $.} - name: create-server description: Register a new MCP server. hints: {readOnly: false} call: barndoor.create-server outputParameters: - {type: object, mapping: $.} - name: delete-server description: Delete an MCP server registration. hints: {destructive: true, idempotent: true} call: barndoor.delete-server with: {server_id: tools.serverId} outputParameters: - {type: object, mapping: $.} - name: initiate-connection description: Start an OAuth 2.0 connection flow to an MCP server. hints: {readOnly: false} call: barndoor.initiate-connection with: {server_id: tools.serverId} outputParameters: - {type: object, mapping: $.} - name: get-connection-status description: Check OAuth connection status for an MCP server. hints: {readOnly: true} call: barndoor.get-connection-status with: {server_id: tools.serverId} outputParameters: - {type: object, mapping: $.} - name: delete-connection description: Delete an OAuth connection for an MCP server. hints: {destructive: true, idempotent: true} call: barndoor.delete-connection with: {server_id: tools.serverId} outputParameters: - {type: object, mapping: $.} - name: list-policies description: List access-control policies. hints: {readOnly: true, openWorld: true} call: barndoor.list-policies outputParameters: - {type: object, mapping: $.} - name: create-policy description: Publish a new Cerbos policy. hints: {readOnly: false} call: barndoor.create-policy outputParameters: - {type: object, mapping: $.} - name: update-policy description: Update an existing policy. hints: {readOnly: false, idempotent: true} call: barndoor.update-policy with: {policy_id: tools.policyId} outputParameters: - {type: object, mapping: $.} - name: clone-policy description: Clone an existing policy as a new draft. hints: {readOnly: false} call: barndoor.clone-policy with: {policy_id: tools.policyId} outputParameters: - {type: object, mapping: $.} - name: validate-policy description: Validate a policy definition before publishing. hints: {readOnly: true} call: barndoor.validate-policy outputParameters: - {type: object, mapping: $.} - name: list-policy-revisions description: List the revision history for a policy. hints: {readOnly: true} call: barndoor.list-policy-revisions with: {policy_id: tools.policyId} outputParameters: - {type: object, mapping: $.} - name: enable-restriction description: Enable a named restriction. hints: {readOnly: false, idempotent: true} call: barndoor.enable-restriction with: {restriction_name: tools.restrictionName} outputParameters: - {type: object, mapping: $.} - name: disable-restriction description: Disable a named restriction. hints: {readOnly: false, idempotent: true} call: barndoor.disable-restriction with: {restriction_name: tools.restrictionName} outputParameters: - {type: object, mapping: $.} - name: proxy-mcp-request description: Proxy an MCP request through Barndoor policy enforcement. hints: {readOnly: false} call: barndoor.proxy-mcp-request with: {mcp_server_name: tools.mcpServerName} outputParameters: - {type: object, mapping: $.} - name: proxy-sse-request description: Proxy an SSE stream through Barndoor. hints: {readOnly: false} call: barndoor.proxy-sse-request with: {mcp_server_name: tools.mcpServerName} outputParameters: - {type: object, mapping: $.}