modernbank-mcp-server

The system acts as an API gateway, propagating `Authorization`, `X-User-Id`, `X-User-Email`, `X-User-Role` headers to downstream services. This is a standard microservices pattern but requires robust authentication/authorization in client and backend services. The `PaymentService` contains commented-out JWT parsing and a hardcoded `fromAccount = ""` which is a bug, but this service is currently not integrated with Gemini function calls and thus poses no immediate threat via the AI. Critical financial operations (`transfer_money`) rely on parameters extracted by Gemini from user input, which are then passed to the `TransactionService`. Extensive `GLOBAL_PROMPT` engineering and a `MissingInputResolver` are used to guide Gemini and handle missing parameters, which are crucial for preventing misuse and ensuring correct function execution. The direct function invocation endpoint `/v1/api/mcp/invoke` is stubbed and returns `null`, reducing its attack surface.