The firewall for AI agents. Open-source policy enforcement for MCP. Website: policylayer.com Intercept is a deterministic enforcement proxy for the Model Context Protocol (MCP). It sits between an AI agent and an MCP server, evaluating every tools/call request against YAML-defined policies. Violating calls are blocked at the transport layer before reaching the upstream server. MCP gives AI agents
Add this skill
npx mdskills install policylayer/interceptComprehensive policy enforcement proxy with excellent documentation and practical examples
The firewall for AI agents. Open-source policy enforcement for MCP.
Website: policylayer.com
Intercept is a deterministic enforcement proxy for the Model Context Protocol (MCP). It sits between an AI agent and an MCP server, evaluating every tools/call request against YAML-defined policies. Violating calls are blocked at the transport layer before reaching the upstream server.
┌──────────┐ ┌───────────┐ ┌────────────┐
│ LLM/AI │──────>│ Intercept │──────>│ MCP Server │
│ Client │<──────│ (proxy) │<──────│ (upstream) │
└──────────┘ └───────────┘ └────────────┘
│
┌────┴────┐
│ Policy │
│ Engine │
└────┬────┘
┌────┴────┐
│ State │
│ Store │
└─────────┘
MCP gives AI agents access to every tool on a server with no access control. There are no rate limits, no spending caps, and no audit trail out of the box. Prompt-based guardrails live inside the model context and can be bypassed — the agent can rewrite, ignore, or reason around them. Intercept enforces policy at the transport layer, below the model. The agent never sees the rules and cannot circumvent them.
delete_repository)amount <= 500, currency in [usd, eur])rate_limit: 5/hour shorthandargs.amount across calls)tools/list so the agent never sees them, saving context window tokensintercept validate -c policy.yaml catches errors before deploymentnpx:
npx -y @policylayer/intercept -c policy.yaml --upstream https://mcp.stripe.com --header "Authorization: Bearer sk_live_..."
npm:
npm install -g @policylayer/intercept
Go:
go install github.com/policylayer/intercept@latest
Pre-built binaries:
Download from GitHub Releases and place the binary on your PATH.
1. Generate a policy scaffold from a running MCP server:
intercept scan -o policy.yaml -- npx -y @modelcontextprotocol/server-stripe
This connects to the server, discovers all available tools, and writes a commented YAML file listing each tool with its parameters.
2. Edit the policy to add rules:
version: "1"
description: "Stripe MCP server policies"
hide:
- delete_customer
- delete_product
- delete_invoice
tools:
create_charge:
rules:
- name: "max single charge"
conditions:
- path: "args.amount"
op: "lte"
value: 50000
on_deny: "Single charge cannot exceed $500.00"
- name: "daily spend cap"
conditions:
- path: "state.create_charge.daily_spend"
op: "lte"
value: 1000000
on_deny: "Daily spending cap of $10,000.00 reached"
state:
counter: "daily_spend"
window: "day"
increment_from: "args.amount"
- name: "allowed currencies"
conditions:
- path: "args.currency"
op: "in"
value: ["usd", "eur"]
on_deny: "Only USD and EUR charges are permitted"
create_refund:
rules:
- name: "refund limit"
rate_limit: 10/day
on_deny: "Daily refund limit (10) reached"
3. Run the proxy:
intercept -c policy.yaml --upstream https://mcp.stripe.com --header "Authorization: Bearer sk_live_..."
Intercept proxies all MCP traffic and enforces your policy on every tool call. Hidden tools are stripped from the agent's view entirely.
The policies/ directory contains ready-made policy scaffolds for 43 popular MCP servers including GitHub, Stripe, AWS, Notion, Slack, and more. Each file lists every tool with its description, grouped by category (Read, Write, Execute, Financial, Destructive).
Copy one as a starting point:
cp policies/stripe.yaml policy.yaml
# edit to add your rules, then:
intercept -c policy.yaml --upstream https://mcp.stripe.com
Browse all policies → policies/
To use Intercept with Claude Code (or any MCP client that reads .mcp.json), point the server command at Intercept:
{
"mcpServers": {
"github": {
"command": "intercept",
"args": [
"-c", "/path/to/policy.yaml",
"--",
"npx", "-y", "@modelcontextprotocol/server-github"
],
"env": {
"GITHUB_PERSONAL_ACCESS_TOKEN": "..."
}
}
}
}
For remote HTTP servers, use --upstream instead of a command:
{
"mcpServers": {
"stripe": {
"command": "intercept",
"args": [
"-c", "/path/to/policy.yaml",
"--upstream", "https://mcp.stripe.com",
"--header", "Authorization: Bearer tok"
]
}
}
}
Rate limits and counters persist across restarts. SQLite is the default (zero config). Redis is supported for multi-instance deployments:
intercept -c policy.yaml --state-dsn redis://localhost:6379 --upstream https://mcp.stripe.com
Contributions welcome — open an issue to discuss what you'd like to change.
Install via CLI
npx mdskills install policylayer/interceptIntercept is a free, open-source AI agent skill. The firewall for AI agents. Open-source policy enforcement for MCP. Website: policylayer.com Intercept is a deterministic enforcement proxy for the Model Context Protocol (MCP). It sits between an AI agent and an MCP server, evaluating every tools/call request against YAML-defined policies. Violating calls are blocked at the transport layer before reaching the upstream server. MCP gives AI agents
Install Intercept with a single command:
npx mdskills install policylayer/interceptThis downloads the skill files into your project and your AI agent picks them up automatically.
Intercept works with Claude Code, Claude Desktop, Cursor, Vscode Copilot, Windsurf, Continue Dev, Gemini Cli, Amp, Roo Code, Goose. Skills use the open SKILL.md format which is compatible with any AI coding agent that reads markdown instructions.