Shield Security

VaultCrux Shield is the control layer that evaluates MCP tool calls and sensitive API mutations before execution.

What Shield does

• Applies capability controls to block unknown or unsafe actions.
• Enforces approval flows for operations that require human authorization.
• Records structured decisions for audit trails.
• Supports runtime safety controls for emergency containment.

Enforcement surfaces

• MCP tool execution requests.
• API mutation routes that can change tenant state.
• Approval-token validation on approved mutation retries.

Evidence and auditability

• Decision events are logged and can be audited.
• Approval requests and resolutions are retained as reviewable records.
• Receipt and proof surfaces can be used alongside Shield logs for post-incident analysis.

Operational model (high level)

• Start in observe mode and validate behavior.
• Promote to enforce mode once policy and approvals are validated for your environment.
• Keep rollback procedures and incident response contacts documented in your internal runbooks.

Related docs

• Security and Compliance
• Compliance Summary
• API + Auth