Safety Model
How VaultTools MCP protects your files: sandboxing, isolation, and predictable processing.
Directory Sandboxing
Every file operation is validated against the --allowed-dir list before execution. Paths are canonicalized to their absolute form, preventing traversal attacks via ../ or symlinks. If a resolved path falls outside every allowed directory, the operation is rejected with an ACCESS_DENIED error.
You can specify multiple allowed directories by repeating the flag: --allowed-dir ~/Documents --allowed-dir ~/Pictures. The server refuses to start without at least one allowed directory.
Output Isolation
When --output-dir is set, all output files are written to that directory instead of next to the input files. This separates processed results from originals.
Output files never overwrite existing files. The server appends a numeric suffix (-1, -2, etc.) to avoid collisions. This means repeated tool calls are always safe. They create new files rather than destroying existing data.
Error Sanitization
Error messages returned to the AI model are truncated to 500 characters. This prevents accidental leakage of file content through verbose error output (e.g., a JSON parse error that includes a snippet of the file).
Errors contain enough information for the AI to retry or report the issue, but never include raw file data.
Stateless Processing
Each tool call is fully independent. The server maintains no state between calls: no caches, no session data, no temporary files. Every invocation reads from disk, processes in memory, and writes back to disk.
This means tool calls are idempotent: calling the same tool with the same inputs always produces the same output (modulo collision-avoidance suffixes on output filenames).
No Telemetry
The server makes zero network requests. There is no analytics, no crash reporting, no update checking, and no phone-home behavior. Communication happens exclusively over stdio (stdin/stdout) with the MCP client.
Logging is written to stderr (not stdout, which is reserved for MCP JSON-RPC) and is off by default. Enable with --verbose for debugging.
Hash Verification
The vaulttools_file_checksum and vaulttools_dev_hash tools let you verify output integrity. After any file transformation, compute a checksum on the output to confirm it matches expectations.
Available algorithms: MD5, SHA-1, SHA-256, SHA-512. Checksums are computed locally and returned as metadata. The file content is never included in the response.
Path-Based I/O
This is the core design principle. The AI agent sends file paths as input. The server reads the files, processes them, writes the output, and returns only metadata (output path, file size, dimensions, checksums, etc.).
File bytes never appear in the MCP response. This means your files don't enter the AI model's context window, aren't sent to any remote API, and aren't included in conversation history.
Exception: A few metadata-only tools return small structured data: EXIF tags, color palette hex codes, word counts, checksum hashes. These are metadata, not file contents.